CVE-2023-34062
Directory Traversal vulnerability in reactor-netty-http (Maven)
What is CVE-2023-34062 About?
This vulnerability affects Reactor Netty HTTP Server versions 1.1.x prior to 1.1.13 and 1.0.x prior to 1.0.39, allowing a malicious user to perform a directory traversal attack. By crafting a special URL, attackers can access files outside of the intended web root, which can lead to sensitive information disclosure. Exploitation is relatively straightforward for an attacker who can send HTTP requests.
Affected Software
- io.projectreactor.netty:reactor-netty-http
- >1.0.0, <1.0.39
- >1.1.0, <1.1.13
Technical Details
The Reactor Netty HTTP Server is vulnerable to a directory traversal attack when configured to serve static resources. The flaw enables a malicious user to craft a specially formed URL containing directory traversal sequences (e.g., ../../). When the server processes this URL to retrieve a static resource, it incorrectly resolves the path, allowing the attacker to access files and directories located outside of the designated web root. This bypasses security checks meant to confine file access to specific directories, allowing an attacker to read or potentially write to arbitrary files on the server, provided the server process has the necessary permissions.
What is the Impact of CVE-2023-34062?
Successful exploitation may allow attackers to access or manipulate arbitrary files and directories on the server, leading to sensitive information disclosure, unauthorized data modification, or system compromise.
What is the Exploitability of CVE-2023-34062?
Exploitation of this directory traversal vulnerability is of low complexity. An attacker needs to craft a URL with traversal sequences (e.g., ../) and send it to the vulnerable Reactor Netty HTTP Server endpoint configured for static resources. There are no authentication or privilege requirements for this attack, assuming the target is a publicly accessible static resource server. This is a remote vulnerability, as the attack can be launched from any remote location capable of sending HTTP requests to the server. The primary prerequisite is the server being configured to serve static resources and running an affected version. Risk factors include publicly exposed web servers that use vulnerable versions of Reactor Netty for static file serving. No special conditions beyond the crafted URL are typically needed.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-34062?
About the Fix from Resolved Security
The patch adds a scheme validation method during URL parsing that rejects any scheme not explicitly matching "http", "https", "ws", or "wss", resolving the issue where an attacker could inject arbitrary schemes and potentially trigger unintended behaviors. This fix directly addresses CVE-2023-34062 by ensuring only trusted protocols are accepted, preventing SSRF and other attacks that could arise from parsing malicious or unexpected scheme values.
Available Upgrade Options
- io.projectreactor.netty:reactor-netty-http
- >1.0.0, <1.0.39 → Upgrade to 1.0.39
- io.projectreactor.netty:reactor-netty-http
- >1.1.0, <1.1.13 → Upgrade to 1.1.13
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/reactor/reactor-netty
- https://spring.io/security/cve-2023-34062
- https://nvd.nist.gov/vuln/detail/CVE-2023-34062
- https://osv.dev/vulnerability/GHSA-xjhv-p3fv-x24r
- https://github.com/reactor/reactor-netty/commit/b1dd46b9a424ca27f7f770be6561faa84d812e5b
- https://spring.io/security/cve-2023-34062
What are Similar Vulnerabilities to CVE-2023-34062?
Similar Vulnerabilities: CVE-2023-3978 , CVE-2023-28432 , CVE-2022-22965 , CVE-2022-42111 , CVE-2021-43818
