A critical directory traversal vulnerability, identified as CVE-2023-34062, has been discovered in the Reactor Netty HTTP Server, a popular component of the Reactor Netty framework. This vulnerability, which has a CVSS score of 7.5, could allow malicious actors to gain unauthorized access to sensitive files and potentially compromise affected systems.
Vulnerability Overview
The vulnerability stems from an implementation flaw in the Reactor Netty HTTP Server that allows attackers to manipulate URLs in a way that can bypass security restrictions and traverse the filesystem of the vulnerable system. By crafting specifically designed URLs, attackers can potentially access and steal sensitive files, including configuration files, and sensitive data, or even execute arbitrary code.
Affected Products and Versions
The CVE-2023-34062 vulnerability affects Reactor Netty HTTP Server versions 1.1.x before 1.1.13 and versions 1.0.x before 1.0.39. Additionally, any applications that utilize Reactor Netty HTTP Server for serving static resources are also potentially vulnerable.
Mitigation and Remediation
To address this vulnerability, users of affected Reactor Netty HTTP Server versions are strongly advised to upgrade to the latest patched versions:
-
Reactor Netty 1.1.x users: Upgrade to Reactor Netty 1.1.13
-
Reactor Netty 1.0.x users: Upgrade to Reactor Netty 1.0.39
No further steps are necessary after applying the appropriate upgrade.
