CVE-2023-34062

Summary

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack.

Specifically, an application is vulnerable if Reactor Netty HTTP Server is configured to serve static resources.

Affected Software

VendorProductVersion RangeStatus
n/aReactor Netty1.1.0 < 1.1.13affected
n/aReactor Netty1.0.0 < 1.0.39affected
n/aReactor Nettyolder unsupported versionsaffected

Weaknesses

  • Directory Traversal

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References