The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| io.projectreactor.netty:reactor-netty-http(Maven) | 0.9.0 | 0.9.5 | N/A |
| io.projectreactor.netty:reactor-netty-http(Maven) | 0.8.0 | 0.8.16 | N/A |
CVSS Metrics
