CVE-2022-31684

Description

Reactor Netty HTTP Server versions 1.0.11 through 1.0.23 contain a vulnerability where, under specific conditions, request headers may be logged for invalid HTTP requests. The logging occurs at the WARN level, which is not the default configuration (ERROR is default). This behavior can inadvertently expose sensitive data such as access tokens that are present in the request headers [1][2].

Exploitation

An attacker does not need to authenticate to the server to trigger this logging; any party capable of sending HTTP requests can cause an invalid request that results in header logging. However, to exploit the leaked information, the attacker must have access to the server logs. The vulnerability only manifests when the log level is set to WARN or higher (but not ERROR), and only for requests that are considered invalid by the server [1][2].

Impact

If an attacker gains access to server logs containing headers from such invalid requests, they could retrieve valid access tokens. These tokens could then be used to impersonate legitimate users or access protected resources, depending on the token's scope and validity period. The impact is limited to environments where log access is not tightly controlled and where tokens are routinely passed in request headers [1][2].

Mitigation

The vulnerability is fixed in Reactor Netty version 1.0.24 (reactor-bom 2020.0.24). Users on affected versions should upgrade to the patched release. Additionally, ensuring that the log level is not set to WARN or lower for the relevant logger can prevent the behavior, though upgrading is the recommended remediation [2].