r2dbc-mysql-0.8.2.RELEASE.jar: 1 vulnerabilities (highest severity is: 5.3) reachable

[mend-for-github-com[bot]]

Vulnerable Library - r2dbc-mysql-0.8.2.RELEASE.jar

Path to dependency file: /data/data-samples/sample-data-mysql-reactive-book/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/projectreactor/netty/reactor-netty/1.0.23/reactor-netty-1.0.23.jar

Found in HEAD commit: ac25342ed87808bc68336b53ce636a671aca91da

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (r2dbc-mysql version)	Remediation Possible**	Reachability
CVE-2023-34054	Medium	5.3	Not Defined	0.0%	reactor-netty-1.0.23.jar	Transitive	N/A*	❌	Reachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-34054

### Vulnerable Library - reactor-netty-1.0.23.jar

Reactor Netty with all modules

Library home page: https://github.com/reactor/reactor-netty

Path to dependency file: /service/service-samples/sample-service-reactive-mysql-book/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/projectreactor/netty/reactor-netty/1.0.23/reactor-netty-1.0.23.jar

Dependency Hierarchy: - r2dbc-mysql-0.8.2.RELEASE.jar (Root Library) - :x: **reactor-netty-1.0.23.jar** (Vulnerable Library)

Found in HEAD commit: ac25342ed87808bc68336b53ce636a671aca91da

Found in base branch: develop

### Reachability Analysis This vulnerability is potentially reachable ``` io.americanexpress.service.book.graphql.resolver.query.BookReactiveQueryResolver (Application) -> reactor.netty.http.client.HttpClientConnect$MonoHttpConnect (Extension) -> ❌ reactor.netty.http.client.HttpClientConnect$MonoHttpConnect$ClientTransportSubscriber (Vulnerable Component) ```

### Vulnerability Details

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled.

Publish Date: 2023-11-28

URL: CVE-2023-34054

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-34054

Release Date: 2023-11-28

Fix Resolution: io.projectreactor.netty:reactor-netty:1.0.39,1.1.13, io.projectreactor.netty:reactor-netty-http:1.0.39,1.1.13