CVE-2020-5404: 
Java vulnerability analysis and mitigation

The Reactor Netty HttpClient, versions 0.9.x prior to 0.9.5 and versions 0.8.x prior to 0.8.16, contains a vulnerability that could lead to credentials leakage during redirects to different domains. This vulnerability, identified as CVE-2020-5404, was disclosed on February 27, 2020. The issue only manifests when the HttpClient is explicitly configured to follow redirects (Spring Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N. This indicates a network-attackable vulnerability with high attack complexity, requiring low privileges and no user interaction. The scope is unchanged, with high impact on confidentiality and low impact on integrity, while availability is not affected (NVD).

When exploited, this vulnerability can result in the leakage of authentication credentials during redirect operations to different domains. This could potentially expose sensitive authentication information to unauthorized domains, compromising the security of affected applications (Spring Advisory).

Users of affected versions should upgrade to Reactor Netty version 0.9.5 (reactor-bom Dysprosium SR-5) for 0.9.x users, or version 0.8.16 (reactor-bom Californium SR-16) for 0.8.x users. Spring Boot applications should upgrade to version 2.2.5 or 2.1.13. After upgrading, some applications may experience authentication failures following redirects to different domains, requiring explicit configuration of the Reactor Netty HttpClient with a redirect request handler (Spring Advisory).