*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.
Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled.
Vulnerable Library - r2dbc-mysql-0.8.2.RELEASE.jar
Path to dependency file: /data/data-samples/sample-data-mysql-reactive-book/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/projectreactor/netty/reactor-netty/1.0.23/reactor-netty-1.0.23.jar
Found in HEAD commit: ac25342ed87808bc68336b53ce636a671aca91da
Vulnerabilities
Reachable
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-34054
### Vulnerable Library - reactor-netty-1.0.23.jarReactor Netty with all modules
Library home page: https://github.com/reactor/reactor-netty
Path to dependency file: /service/service-samples/sample-service-reactive-mysql-book/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/projectreactor/netty/reactor-netty/1.0.23/reactor-netty-1.0.23.jar
Dependency Hierarchy: - r2dbc-mysql-0.8.2.RELEASE.jar (Root Library) - :x: **reactor-netty-1.0.23.jar** (Vulnerable Library)
Found in HEAD commit: ac25342ed87808bc68336b53ce636a671aca91da
Found in base branch: develop
### Reachability Analysis This vulnerability is potentially reachable ``` io.americanexpress.service.book.graphql.resolver.query.BookReactiveQueryResolver (Application) -> reactor.netty.http.client.HttpClientConnect$MonoHttpConnect (Extension) -> ❌ reactor.netty.http.client.HttpClientConnect$MonoHttpConnect$ClientTransportSubscriber (Vulnerable Component) ``` ### Vulnerability DetailsIn Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled.
Publish Date: 2023-11-28
URL: CVE-2023-34054
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2023-34054
Release Date: 2023-11-28
Fix Resolution: io.projectreactor.netty:reactor-netty:1.0.39,1.1.13, io.projectreactor.netty:reactor-netty-http:1.0.39,1.1.13