Vulnerabilites related to typelevel - http4s
Vulnerability from fkie_nvd
Published
2020-03-25 18:15
Modified
2024-11-21 05:33
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D8F27ABA-D902-4EFB-AA8A-1C1A3637517A",
"versionEndExcluding": "0.18.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1B72AEE1-950A-4AB8-9620-A9E4DE39ACEB",
"versionEndExcluding": "0.20.20",
"versionStartIncluding": "0.19.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
"matchCriteriaId": "15358AD5-7CD3-4EC2-B986-6115420D15D8",
"versionEndExcluding": "0.21.2",
"versionStartIncluding": "0.21.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported."
},
{
"lang": "es",
"value": "http4s versiones anteriores a 0.18.26, 0.20.20 y 0.21.2, presenta una vulnerabilidad de inclusi\u00f3n de archivos local. Esta vulnerabilidad se aplica a todos los usuarios de org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService y org.http4s.server.staticcontent.WebjarService. La normalizaci\u00f3n de URI es aplicada incorrectamente. Las peticiones cuya informaci\u00f3n de ruta contiene ../ o // pueden exponer recursos fuera de la ubicaci\u00f3n configurada. Este problema est\u00e1 parcheado en las versiones 0.18.26, 0.20.20 y 0.21.2. Tome en cuenta que la versi\u00f3n 0.19.0 es una versi\u00f3n en desuso y nunca ha sido compatible."
}
],
"id": "CVE-2020-5280",
"lastModified": "2024-11-21T05:33:49.547",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-25T18:15:14.237",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-23"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-01 20:15
Modified
2024-11-21 06:18
Severity ?
Summary
Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original `CORS` implementation and `CORSConfig` are deprecated. See the GitHub GHSA for more information, including code examples and workarounds.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/http4s/http4s/releases/tag/v0.23.2 | Third Party Advisory | |
| security-advisories@github.com | https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/http4s/http4s/releases/tag/v0.23.2 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6 | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| typelevel | http4s | * | |
| typelevel | http4s | * | |
| typelevel | http4s | 0.23.0 | |
| typelevel | http4s | 0.23.1 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA68C82D-88CA-4315-9FF9-DA0FE8223156",
"versionEndIncluding": "0.21.26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4F97B04-29A9-4A32-BFC8-E971B72596F6",
"versionEndIncluding": "0.22.2",
"versionStartIncluding": "0.22.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:0.23.0:*:*:*:*:*:*:*",
"matchCriteriaId": "40C64FD8-E742-4D74-BCCD-C585A7E05A70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:0.23.1:*:*:*:*:*:*:*",
"matchCriteriaId": "AB9E400F-E915-4E63-B580-F54C32CC8FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "65C497F9-281C-4565-BD36-B6B4D7E6F8BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "6FCFC3E5-7530-4AAA-A2C7-36DC307B613B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "D03CBFE3-0B31-4D7C-BC5D-61DCD3C2C486",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "76F8BC53-544C-4285-8D9B-CB91AD080048",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "778947CA-20BA-469F-87E1-97D8713ACC75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "F5B02828-1E40-49BE-8367-10296625C696",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "A569F32F-3C8C-4F8F-B0BC-6ADC993596A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "525DBF4B-F574-459D-9CE2-6AF597ABAE10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "FD05B15E-1E4F-43EA-B21A-3B96A77814D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "65C79F52-F05F-4F0A-AC27-393197B9EF00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "A426B4C0-643A-492F-B7FB-725549F613F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "D95E231C-3D13-45FC-AF9A-CB8CF1FFC983",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "CF973F58-0AC7-4B58-A2CF-654133CE7F1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "35C40331-C96C-477C-B6BD-D5506E612DA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "615BC827-3E0F-4C1E-8FD2-B59FF31F2D49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "FDFB35FD-4D08-4895-B1B6-FC03BCB3EB22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "97F74D04-031E-47D4-BA57-DBE9C74CE256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "DE093D65-1B3A-4A4A-BC76-05DEF9529712",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "DC3CA618-148D-4F97-9913-316DDDD97838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "02FA538C-9D8A-49D5-8268-1A2C3E96B89B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "D18A3ABC-5C47-45BF-978C-5BB17787DCFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "1CE1CF51-E61A-418A-AB22-9D7A6D690BAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "29A70AAA-B77A-4291-A700-C910362DB8D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "9F8F3C38-57AB-4CBC-8959-7FF51CBA7907",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original `CORS` implementation and `CORSConfig` are deprecated. See the GitHub GHSA for more information, including code examples and workarounds."
},
{
"lang": "es",
"value": "Http4s es una interfaz m\u00ednima e idiom\u00e1tica de Scala para servicios HTTP. En http4s versiones 0.21.26 y anteriores, 0.22.0 hasta 0.22.2, 0.23.0, 0.23.1, y 1.0.0-M1 hasta 1.0.0-M24, la configuraci\u00f3n CORS predeterminada es vulnerable a un ataque de reflexi\u00f3n de origen. El middleware tambi\u00e9n es susceptible a un ataque de Origen Nulo. El problema se ha corregido en las versiones 0.21.27, 0.22.3, 0.23.2 y 1.0.0-M25. La implementaci\u00f3n original de \"CORS\" y \"CORSConfig\" est\u00e1n obsoletas. Consulte el GHSA de GitHub para conseguir m\u00e1s informaci\u00f3n, incluyendo ejemplos de c\u00f3digo y soluciones"
}
],
"id": "CVE-2021-39185",
"lastModified": "2024-11-21T06:18:49.873",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2021-09-01T20:15:07.447",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/releases/tag/v0.23.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/releases/tag/v0.23.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-21 18:15
Modified
2024-11-21 06:25
Severity ?
8.7 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Summary
http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`å), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| typelevel | http4s | * | |
| typelevel | http4s | * | |
| typelevel | http4s | * | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0B6AFB9-30AE-4CB0-98E8-80E2066211CD",
"versionEndExcluding": "0.21.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0D7EA70-14A9-4DB3-B96C-2FA713040D65",
"versionEndExcluding": "0.22.5",
"versionStartIncluding": "0.22.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A613C47-29E5-484C-AEBF-C3B5EB5ED3CF",
"versionEndExcluding": "0.23.4",
"versionStartIncluding": "0.23.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "65C497F9-281C-4565-BD36-B6B4D7E6F8BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "6FCFC3E5-7530-4AAA-A2C7-36DC307B613B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "D03CBFE3-0B31-4D7C-BC5D-61DCD3C2C486",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "76F8BC53-544C-4285-8D9B-CB91AD080048",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "778947CA-20BA-469F-87E1-97D8713ACC75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "F5B02828-1E40-49BE-8367-10296625C696",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "A569F32F-3C8C-4F8F-B0BC-6ADC993596A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "525DBF4B-F574-459D-9CE2-6AF597ABAE10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "FD05B15E-1E4F-43EA-B21A-3B96A77814D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "65C79F52-F05F-4F0A-AC27-393197B9EF00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "A426B4C0-643A-492F-B7FB-725549F613F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "D95E231C-3D13-45FC-AF9A-CB8CF1FFC983",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "CF973F58-0AC7-4B58-A2CF-654133CE7F1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "35C40331-C96C-477C-B6BD-D5506E612DA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "615BC827-3E0F-4C1E-8FD2-B59FF31F2D49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "FDFB35FD-4D08-4895-B1B6-FC03BCB3EB22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "97F74D04-031E-47D4-BA57-DBE9C74CE256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "2FDC2E12-DE86-4A82-BD2F-C18F715CA673",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "C1C18467-5FD0-4DCC-8B75-979C03BFF1C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "DE093D65-1B3A-4A4A-BC76-05DEF9529712",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "DC3CA618-148D-4F97-9913-316DDDD97838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "02FA538C-9D8A-49D5-8268-1A2C3E96B89B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "D18A3ABC-5C47-45BF-978C-5BB17787DCFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "1CE1CF51-E61A-418A-AB22-9D7A6D690BAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "29A70AAA-B77A-4291-A700-C910362DB8D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "9F8F3C38-57AB-4CBC-8959-7FF51CBA7907",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening."
},
{
"lang": "es",
"value": "http4s es una interfaz scala de c\u00f3digo abierto para HTTP. En las versiones afectadas, http4s es vulnerable a ataques de divisi\u00f3n de respuestas o de peticiones cuando entradas de usuario no confiables son usadas para crear cualquiera de los siguientes campos: Header names (\"Header.name\"), Header values (\"Header.value\"), Status reason phrases (\"Status.reason\"), URI paths (\"Uri.Path\"), URI authority registered names (\"URI.RegName\") (versiones hasta 0.21). Este problema ha sido resuelto en versiones 0.21.30, 0.22.5, 0.23.4 y 1.0.0-M27 llevan a cabo lo siguiente. Como cuesti\u00f3n de pr\u00e1ctica, los servicios http4s y las aplicaciones cliente deber\u00edan sanear cualquier entrada del usuario en los campos mencionados antes de devolver una petici\u00f3n o respuesta al backend. Los caracteres carriage return, newline y null son los m\u00e1s amenazantes"
}
],
"id": "CVE-2021-41084",
"lastModified": "2024-11-21T06:25:25.353",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-21T18:15:07.427",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-27 18:15
Modified
2024-11-21 06:07
Severity ?
5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Summary
Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://mvnrepository.com/artifact/org.http4s/http4s-core | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mvnrepository.com/artifact/org.http4s/http4s-core | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| typelevel | http4s | * | |
| typelevel | http4s | 0.22.0 | |
| typelevel | http4s | 0.22.0 | |
| typelevel | http4s | 0.22.0 | |
| typelevel | http4s | 0.22.0 | |
| typelevel | http4s | 0.22.0 | |
| typelevel | http4s | 0.22.0 | |
| typelevel | http4s | 0.22.0 | |
| typelevel | http4s | 0.22.0 | |
| typelevel | http4s | 0.23.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A89F91C5-C023-499F-92E9-6ABD29906F05",
"versionEndExcluding": "0.21.24",
"versionStartIncluding": "0.21.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "3F47AFA4-20AD-41C4-9693-D9BE51F61AD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "277DD893-FCEC-494D-A25C-E4F1C0E2F30B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "8CAEF1DF-8A14-4C6A-AF85-B66B07E53BCB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "5F4BFAA7-4295-4496-9883-410DAEEC2CE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "5D2214A6-5A1F-4A89-9718-83D499D9A417",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "176031C5-37CA-4303-9222-6A5D1BA5982F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "F860AD98-AC2A-460C-A95A-DE044EE32AD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "00D9D86C-BE0A-44FB-A242-6DF85C645591",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:0.23.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "C2A29EBD-8832-45AE-8686-B1058AAF9476",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "65C497F9-281C-4565-BD36-B6B4D7E6F8BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "6FCFC3E5-7530-4AAA-A2C7-36DC307B613B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "D03CBFE3-0B31-4D7C-BC5D-61DCD3C2C486",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "76F8BC53-544C-4285-8D9B-CB91AD080048",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "778947CA-20BA-469F-87E1-97D8713ACC75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "F5B02828-1E40-49BE-8367-10296625C696",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "A569F32F-3C8C-4F8F-B0BC-6ADC993596A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "525DBF4B-F574-459D-9CE2-6AF597ABAE10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "FD05B15E-1E4F-43EA-B21A-3B96A77814D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "65C79F52-F05F-4F0A-AC27-393197B9EF00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "A426B4C0-643A-492F-B7FB-725549F613F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "D95E231C-3D13-45FC-AF9A-CB8CF1FFC983",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "CF973F58-0AC7-4B58-A2CF-654133CE7F1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "35C40331-C96C-477C-B6BD-D5506E612DA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "615BC827-3E0F-4C1E-8FD2-B59FF31F2D49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "DE093D65-1B3A-4A4A-BC76-05DEF9529712",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "DC3CA618-148D-4F97-9913-316DDDD97838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "02FA538C-9D8A-49D5-8268-1A2C3E96B89B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "D18A3ABC-5C47-45BF-978C-5BB17787DCFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "1CE1CF51-E61A-418A-AB22-9D7A6D690BAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "29A70AAA-B77A-4291-A700-C910362DB8D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "9F8F3C38-57AB-4CBC-8959-7FF51CBA7907",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs."
},
{
"lang": "es",
"value": "Http4s es una interfaz de Scala para servicios HTTP.\u0026#xa0;el directorio \"StaticFile.fromUrl\" puede filtrar la presencia de un directorio en un servidor cuando el esquema \"URL\" no es \"file://\", y la URL apunta a un recurso recuperable bajo su esquema y autoridad.\u0026#xa0;La funci\u00f3n devuelve \"F[None]\", indicando que no hay recurso, si \"url.getFile\" es un directorio, sin comprobar primero el esquema o la autoridad de la URL.\u0026#xa0;Si una conexi\u00f3n URL al esquema y la URL devolvieran una secuencia, y la ruta en la URL se presenta como un directorio en el servidor, la presencia del directorio en el servidor podr\u00eda inferirse de la respuesta 404.\u0026#xa0;No son expuestas los contenidos y otros metadatos sobre el directorio.\u0026#xa0;Esto afecta a versiones de http4s: versiones 0.21.7 hasta 0.21.23, 0.22.0-M1 hasta 0.22.0-M8, 0.23.0-M1 y versiones 1.0.0-M1 hasta 1.0.0-M22.\u0026#xa0;El [parche] (https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) est\u00e1 disponible en las siguientes versiones: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23.\u0026#xa0;Como soluci\u00f3n alternativa, los usuarios pueden evitar llamar a \"StaticFile.fromUrl\" con URL que no sean archivos"
}
],
"id": "CVE-2021-32643",
"lastModified": "2024-11-21T06:07:26.607",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-27T18:15:07.903",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-04 16:15
Modified
2024-11-21 07:44
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f | Exploit, Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f | Exploit, Mitigation, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| typelevel | http4s | * | |
| typelevel | http4s | * | |
| typelevel | http4s | * | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 | |
| typelevel | http4s | 1.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
"matchCriteriaId": "185B0C49-B7B4-436A-9577-3276FCE1181F",
"versionEndExcluding": "0.21.34",
"versionStartIncluding": "0.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AF811C59-F1EA-49A0-A335-D395AC17EC76",
"versionEndExcluding": "0.22.15",
"versionStartIncluding": "0.22.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79816BBF-3E40-4E20-8138-281DA5CF65E9",
"versionEndExcluding": "0.23.17",
"versionStartIncluding": "0.23.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "65C497F9-281C-4565-BD36-B6B4D7E6F8BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "6FCFC3E5-7530-4AAA-A2C7-36DC307B613B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "D03CBFE3-0B31-4D7C-BC5D-61DCD3C2C486",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "76F8BC53-544C-4285-8D9B-CB91AD080048",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "778947CA-20BA-469F-87E1-97D8713ACC75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "F5B02828-1E40-49BE-8367-10296625C696",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "A569F32F-3C8C-4F8F-B0BC-6ADC993596A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "525DBF4B-F574-459D-9CE2-6AF597ABAE10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "FD05B15E-1E4F-43EA-B21A-3B96A77814D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*",
"matchCriteriaId": "65C79F52-F05F-4F0A-AC27-393197B9EF00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*",
"matchCriteriaId": "A426B4C0-643A-492F-B7FB-725549F613F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "D95E231C-3D13-45FC-AF9A-CB8CF1FFC983",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*",
"matchCriteriaId": "CF973F58-0AC7-4B58-A2CF-654133CE7F1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*",
"matchCriteriaId": "35C40331-C96C-477C-B6BD-D5506E612DA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*",
"matchCriteriaId": "615BC827-3E0F-4C1E-8FD2-B59FF31F2D49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone23:*:*:*:*:*:*",
"matchCriteriaId": "FDFB35FD-4D08-4895-B1B6-FC03BCB3EB22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone24:*:*:*:*:*:*",
"matchCriteriaId": "97F74D04-031E-47D4-BA57-DBE9C74CE256",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone25:*:*:*:*:*:*",
"matchCriteriaId": "2FDC2E12-DE86-4A82-BD2F-C18F715CA673",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone26:*:*:*:*:*:*",
"matchCriteriaId": "C1C18467-5FD0-4DCC-8B75-979C03BFF1C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone27:*:*:*:*:*:*",
"matchCriteriaId": "6724B3CF-A393-469B-BA80-CED8AB98358A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone28:*:*:*:*:*:*",
"matchCriteriaId": "804EF10D-46A9-49C0-B1C4-74B832115662",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone29:*:*:*:*:*:*",
"matchCriteriaId": "2DE365D6-17C4-4E82-8F2B-1DA18CC8382F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "DE093D65-1B3A-4A4A-BC76-05DEF9529712",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone30:*:*:*:*:*:*",
"matchCriteriaId": "078E27D3-AD80-44E8-A97C-328AEB4E2929",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone31:*:*:*:*:*:*",
"matchCriteriaId": "548DB4B7-872D-4A7E-9DA7-D0BF15BDE969",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone32:*:*:*:*:*:*",
"matchCriteriaId": "07037A73-F463-4F8B-8F8B-AF513B31DA21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone33:*:*:*:*:*:*",
"matchCriteriaId": "801D2731-BD6D-4CD9-B69F-75DC1A0FE3CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone34:*:*:*:*:*:*",
"matchCriteriaId": "AA2C32F3-93A3-4A2F-9A9A-DC06056EDC81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone35:*:*:*:*:*:*",
"matchCriteriaId": "59C3ECBA-47D1-4A9B-8193-8033BC27CC37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone36:*:*:*:*:*:*",
"matchCriteriaId": "9B7AF9D4-4548-4D25-84BC-54C525179342",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone37:*:*:*:*:*:*",
"matchCriteriaId": "0D884D1D-F74D-406F-A363-C008097C997E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "DC3CA618-148D-4F97-9913-316DDDD97838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "02FA538C-9D8A-49D5-8268-1A2C3E96B89B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "D18A3ABC-5C47-45BF-978C-5BB17787DCFA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "1CE1CF51-E61A-418A-AB22-9D7A6D690BAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "29A70AAA-B77A-4291-A700-C910362DB8D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "9F8F3C38-57AB-4CBC-8959-7FF51CBA7907",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface."
},
{
"lang": "es",
"value": "Http4s es una interfaz de Scala para servicios HTTP. A partir de la versi\u00f3n 0.1.0 y anteriores a las versiones 0.21.34, 0.22.15, 0.23.17 y 1.0.0-M38, los analizadores de encabezado `User-Agent` y `Server` son susceptibles a un error fatal en ciertas entradas. En http4s, los encabezados modelados se analizan de forma diferida, por lo que esto solo se aplica a los servicios que solicitan expl\u00edcitamente estos encabezados escritos. Las correcciones se publicaron en 0.21.34, 0.22.15, 0.23.17 y 1.0.0-M38. Como workaround, utilice la interfaz de encabezado con tipos d\u00e9biles."
}
],
"id": "CVE-2023-22465",
"lastModified": "2024-11-21T07:44:51.550",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-04T16:15:09.323",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-02 22:15
Modified
2024-11-21 05:47
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections. http4s provides a general "MaxActiveRequests" middleware mechanism for limiting open connections, but it is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open. In 0.21.17, 0.22.0-M2, and 1.0.0-M14, a new "maxConnections" property, with a default value of 1024, has been added to the `BlazeServerBuilder`. Setting the value to a negative number restores unbounded behavior, but is strongly disrecommended. The NIO2 backend does not respect `maxConnections`. Its use is now deprecated in http4s-0.21, and the option is removed altogether starting in http4s-0.22. There are several possible workarounds described in the refrenced GitHub Advisory GHSA-xhv5-w9c5-2r2w.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB30E912-7ACF-41DA-A730-CEBAE7F25E21",
"versionEndExcluding": "0.21.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections. http4s provides a general \"MaxActiveRequests\" middleware mechanism for limiting open connections, but it is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open. In 0.21.17, 0.22.0-M2, and 1.0.0-M14, a new \"maxConnections\" property, with a default value of 1024, has been added to the `BlazeServerBuilder`. Setting the value to a negative number restores unbounded behavior, but is strongly disrecommended. The NIO2 backend does not respect `maxConnections`. Its use is now deprecated in http4s-0.21, and the option is removed altogether starting in http4s-0.22. There are several possible workarounds described in the refrenced GitHub Advisory GHSA-xhv5-w9c5-2r2w."
},
{
"lang": "es",
"value": "Http4s (http4s-blaze-server) es una interfaz Scala m\u00ednima e idiom\u00e1tica para servicios HTTP.\u0026#xa0;Http4s anterior a versiones 0.21.17, 0.22.0-M2 y 1.0.0-M14, presentan una vulnerabilidad que puede conllevar a una denegaci\u00f3n de servicio.\u0026#xa0;Blaze-core, una biblioteca subyacente a http4s-blaze-server, acepta conexiones ilimitadas en su grupo de selectores.\u0026#xa0;Esto tiene el efecto neto de amplificar la degradaci\u00f3n en los servicios que no pueden manejar su carga de peticiones actual, ya que las conexiones entrantes a\u00fan se aceptan y agregan a una cola ilimitada.\u0026#xa0;Cada conexi\u00f3n asigna un identificador de socket, lo que agota un recurso escaso del sistema operativo.\u0026#xa0;Esto tambi\u00e9n puede confundir a los disyuntores de nivel superior que funcionan bas\u00e1ndose en la detecci\u00f3n de conexiones en fallo.\u0026#xa0;http4s proporciona un mecanismo de middleware \"MaxActiveRequests\" general para limitar las conexiones abiertas, pero se aplica dentro del bucle de aceptaci\u00f3n de Blaze,\u0026#xa0;despu\u00e9s de que se acepta la conexi\u00f3n y se abre el socket.\u0026#xa0;Por lo tanto, el l\u00edmite solo impide el n\u00famero de conexiones que se pueden procesar simult\u00e1neamente, no el n\u00famero de conexiones que se pueden mantener abiertas.\u0026#xa0;En 0.21.17, 0.22.0-M2 y 1.0.0-M14, se agreg\u00f3 una nueva propiedad \"maxConnections\", con un valor predeterminado de 1024, al \"BlazeServerBuilder\".\u0026#xa0;Establecer el valor en un n\u00famero negativo restaura el comportamiento ilimitado, pero se desaconseja en\u00e9rgicamente.\u0026#xa0;El backend de NIO2 no respeta \"maxConnections\".\u0026#xa0;Su uso ahora es obsoleto en http4s-0.21, y la opci\u00f3n se elimina por completo a partir de http4s-0.22.\u0026#xa0;Existen varias posibles soluciones que se describen en el Aviso de GitHub referenciado GHSA-xhv5-w9c5-2r2w"
}
],
"id": "CVE-2021-21294",
"lastModified": "2024-11-21T05:47:57.380",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-02T22:15:12.387",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/commit/987d6589ef79545b9bb2324ac4bdebf82d9a0171"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/commit/987d6589ef79545b9bb2324ac4bdebf82d9a0171"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2021-21294 (GCVE-0-2021-21294)
Vulnerability from cvelistv5
Published
2021-02-02 21:40
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Summary
Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections. http4s provides a general "MaxActiveRequests" middleware mechanism for limiting open connections, but it is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open. In 0.21.17, 0.22.0-M2, and 1.0.0-M14, a new "maxConnections" property, with a default value of 1024, has been added to the `BlazeServerBuilder`. Setting the value to a negative number restores unbounded behavior, but is strongly disrecommended. The NIO2 backend does not respect `maxConnections`. Its use is now deprecated in http4s-0.21, and the option is removed altogether starting in http4s-0.22. There are several possible workarounds described in the refrenced GitHub Advisory GHSA-xhv5-w9c5-2r2w.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w | x_refsource_CONFIRM | |
| https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc | x_refsource_MISC | |
| https://github.com/http4s/http4s/commit/987d6589ef79545b9bb2324ac4bdebf82d9a0171 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/http4s/http4s/commit/987d6589ef79545b9bb2324ac4bdebf82d9a0171"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "http4s",
"vendor": "http4s",
"versions": [
{
"status": "affected",
"version": "\u003c 0.21.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections. http4s provides a general \"MaxActiveRequests\" middleware mechanism for limiting open connections, but it is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open. In 0.21.17, 0.22.0-M2, and 1.0.0-M14, a new \"maxConnections\" property, with a default value of 1024, has been added to the `BlazeServerBuilder`. Setting the value to a negative number restores unbounded behavior, but is strongly disrecommended. The NIO2 backend does not respect `maxConnections`. Its use is now deprecated in http4s-0.21, and the option is removed altogether starting in http4s-0.22. There are several possible workarounds described in the refrenced GitHub Advisory GHSA-xhv5-w9c5-2r2w."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-02T21:40:18",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/http4s/http4s/commit/987d6589ef79545b9bb2324ac4bdebf82d9a0171"
}
],
"source": {
"advisory": "GHSA-xhv5-w9c5-2r2w",
"discovery": "UNKNOWN"
},
"title": "Unbounded connection acceptance in http4s-blaze-server",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21294",
"STATE": "PUBLIC",
"TITLE": "Unbounded connection acceptance in http4s-blaze-server"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "http4s",
"version": {
"version_data": [
{
"version_value": "\u003c 0.21.17"
}
]
}
}
]
},
"vendor_name": "http4s"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections. http4s provides a general \"MaxActiveRequests\" middleware mechanism for limiting open connections, but it is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open. In 0.21.17, 0.22.0-M2, and 1.0.0-M14, a new \"maxConnections\" property, with a default value of 1024, has been added to the `BlazeServerBuilder`. Setting the value to a negative number restores unbounded behavior, but is strongly disrecommended. The NIO2 backend does not respect `maxConnections`. Its use is now deprecated in http4s-0.21, and the option is removed altogether starting in http4s-0.22. There are several possible workarounds described in the refrenced GitHub Advisory GHSA-xhv5-w9c5-2r2w."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w",
"refsource": "CONFIRM",
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w"
},
{
"name": "https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc",
"refsource": "MISC",
"url": "https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc"
},
{
"name": "https://github.com/http4s/http4s/commit/987d6589ef79545b9bb2324ac4bdebf82d9a0171",
"refsource": "MISC",
"url": "https://github.com/http4s/http4s/commit/987d6589ef79545b9bb2324ac4bdebf82d9a0171"
}
]
},
"source": {
"advisory": "GHSA-xhv5-w9c5-2r2w",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21294",
"datePublished": "2021-02-02T21:40:19",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:15.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41084 (GCVE-0-2021-41084)
Vulnerability from cvelistv5
Published
2021-09-21 17:20
Modified
2024-08-04 02:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`å), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3 | x_refsource_CONFIRM | |
| https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8 | x_refsource_MISC | |
| https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values | x_refsource_MISC | |
| https://owasp.org/www-community/attacks/HTTP_Response_Splitting | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.504Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "http4s",
"vendor": "http4s",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.21.28"
},
{
"status": "affected",
"version": "\u003e= 0.22.0, \u003c 0.22.5"
},
{
"status": "affected",
"version": "\u003e= 0.23.0, \u003c 0.23.4"
},
{
"status": "affected",
"version": "\u003e= 1.0.0-M1, \u003c 1.0.0-M27"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-21T17:20:14",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
}
],
"source": {
"advisory": "GHSA-5vcm-3xc3-w7x3",
"discovery": "UNKNOWN"
},
"title": "Response Splitting from unsanitized headers in http4s",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41084",
"STATE": "PUBLIC",
"TITLE": "Response Splitting from unsanitized headers in http4s"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "http4s",
"version": {
"version_data": [
{
"version_value": "\u003c= 0.21.28"
},
{
"version_value": "\u003e= 0.22.0, \u003c 0.22.5"
},
{
"version_value": "\u003e= 0.23.0, \u003c 0.23.4"
},
{
"version_value": "\u003e= 1.0.0-M1, \u003c 1.0.0-M27"
}
]
}
}
]
},
"vendor_name": "http4s"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918: Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3",
"refsource": "CONFIRM",
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"
},
{
"name": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8",
"refsource": "MISC",
"url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"
},
{
"name": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values",
"refsource": "MISC",
"url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"
},
{
"name": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting",
"refsource": "MISC",
"url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
}
]
},
"source": {
"advisory": "GHSA-5vcm-3xc3-w7x3",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41084",
"datePublished": "2021-09-21T17:20:14",
"dateReserved": "2021-09-15T00:00:00",
"dateUpdated": "2024-08-04T02:59:31.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39185 (GCVE-0-2021-39185)
Vulnerability from cvelistv5
Published
2021-09-01 19:25
Modified
2024-08-04 01:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-346 - Origin Validation Error
Summary
Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original `CORS` implementation and `CORSConfig` are deprecated. See the GitHub GHSA for more information, including code examples and workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6 | x_refsource_CONFIRM | |
| https://github.com/http4s/http4s/releases/tag/v0.23.2 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:18.235Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/http4s/http4s/releases/tag/v0.23.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "http4s",
"vendor": "http4s",
"versions": [
{
"status": "affected",
"version": "\u003c 0.21.27"
},
{
"status": "affected",
"version": "\u003e= 0.22.0, \u003c 0.22.3"
},
{
"status": "affected",
"version": "\u003e= 0.23.0, \u003c 0.23.2"
},
{
"status": "affected",
"version": "\u003e= 1.0.0-M1, \u003c= 1.0.0-M24"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original `CORS` implementation and `CORSConfig` are deprecated. See the GitHub GHSA for more information, including code examples and workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-01T19:25:09",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/http4s/http4s/releases/tag/v0.23.2"
}
],
"source": {
"advisory": "GHSA-52cf-226f-rhr6",
"discovery": "UNKNOWN"
},
"title": "Default CORS config allows any origin with credentials",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39185",
"STATE": "PUBLIC",
"TITLE": "Default CORS config allows any origin with credentials"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "http4s",
"version": {
"version_data": [
{
"version_value": "\u003c 0.21.27"
},
{
"version_value": "\u003e= 0.22.0, \u003c 0.22.3"
},
{
"version_value": "\u003e= 0.23.0, \u003c 0.23.2"
},
{
"version_value": "\u003e= 1.0.0-M1, \u003c= 1.0.0-M24"
}
]
}
}
]
},
"vendor_name": "http4s"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original `CORS` implementation and `CORSConfig` are deprecated. See the GitHub GHSA for more information, including code examples and workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-346: Origin Validation Error"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6",
"refsource": "CONFIRM",
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6"
},
{
"name": "https://github.com/http4s/http4s/releases/tag/v0.23.2",
"refsource": "MISC",
"url": "https://github.com/http4s/http4s/releases/tag/v0.23.2"
}
]
},
"source": {
"advisory": "GHSA-52cf-226f-rhr6",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-39185",
"datePublished": "2021-09-01T19:25:09",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-08-04T01:58:18.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22465 (GCVE-0-2023-22465)
Vulnerability from cvelistv5
Published
2023-01-04 15:30
Modified
2025-03-10 21:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.417Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22465",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:02:19.525721Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:32:44.734Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "http4s",
"vendor": "http4s",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.1.0, \u003c 0.21.34"
},
{
"status": "affected",
"version": "\u003e= 0.22.0, \u003c 0.22.15"
},
{
"status": "affected",
"version": "\u003e= 0.23.0, \u003c 0.23.17"
},
{
"status": "affected",
"version": "\u003e= 1.0.0-M1, \u003c 1.0.0-M38"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-04T15:30:04.129Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f"
}
],
"source": {
"advisory": "GHSA-54w6-vxfh-fw7f",
"discovery": "UNKNOWN"
},
"title": "Http4s has fatal error parsing User-Agent and Server headers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22465",
"datePublished": "2023-01-04T15:30:04.129Z",
"dateReserved": "2022-12-29T03:00:40.879Z",
"dateUpdated": "2025-03-10T21:32:44.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32643 (GCVE-0-2021-32643)
Vulnerability from cvelistv5
Published
2021-05-27 17:15
Modified
2024-08-03 23:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6 | x_refsource_CONFIRM | |
| https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9 | x_refsource_MISC | |
| https://mvnrepository.com/artifact/org.http4s/http4s-core | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:30.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "http4s",
"vendor": "http4s",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.21.7, \u003c 0.21.24"
},
{
"status": "affected",
"version": "\u003e= 0.22.0-M1, \u003c= 0.22.0-M8"
},
{
"status": "affected",
"version": "= 0.23.0-M1"
},
{
"status": "affected",
"version": "\u003e= 1.0.0-M1, \u003c 1.0.0-M23"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-27T17:15:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
}
],
"source": {
"advisory": "GHSA-6h7w-fc84-x7p6",
"discovery": "UNKNOWN"
},
"title": "StaticFile.fromUrl can leak presence of a directory",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32643",
"STATE": "PUBLIC",
"TITLE": "StaticFile.fromUrl can leak presence of a directory"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "http4s",
"version": {
"version_data": [
{
"version_value": "\u003e= 0.21.7, \u003c 0.21.24"
},
{
"version_value": "\u003e= 0.22.0-M1, \u003c= 0.22.0-M8"
},
{
"version_value": "= 0.23.0-M1"
},
{
"version_value": "\u003e= 1.0.0-M1, \u003c 1.0.0-M23"
}
]
}
}
]
},
"vendor_name": "http4s"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6",
"refsource": "CONFIRM",
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
},
{
"name": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9",
"refsource": "MISC",
"url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
},
{
"name": "https://mvnrepository.com/artifact/org.http4s/http4s-core",
"refsource": "MISC",
"url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
}
]
},
"source": {
"advisory": "GHSA-6h7w-fc84-x7p6",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32643",
"datePublished": "2021-05-27T17:15:11",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:30.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5280 (GCVE-0-2020-5280)
Vulnerability from cvelistv5
Published
2020-03-25 17:45
Modified
2024-08-04 08:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-23 - Relative Path Traversal
Summary
http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6 | x_refsource_CONFIRM | |
| https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec | x_refsource_MISC | |
| https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca | x_refsource_MISC | |
| https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.104Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "http4s",
"vendor": "http4s",
"versions": [
{
"status": "affected",
"version": "\u003c 0.18.26"
},
{
"status": "affected",
"version": "\u003e= 0.19.0, \u003c 0.20.20"
},
{
"status": "affected",
"version": "\u003e= 0.21.0, \u003c 0.21.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-25T17:45:17",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b"
}
],
"source": {
"advisory": "GHSA-66q9-f7ff-mmx6",
"discovery": "UNKNOWN"
},
"title": "Local file inclusion vulnerability in http4s",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5280",
"STATE": "PUBLIC",
"TITLE": "Local file inclusion vulnerability in http4s"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "http4s",
"version": {
"version_data": [
{
"version_value": "\u003c 0.18.26"
},
{
"version_value": "\u003e= 0.19.0, \u003c 0.20.20"
},
{
"version_value": "\u003e= 0.21.0, \u003c 0.21.2"
}
]
}
}
]
},
"vendor_name": "http4s"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23: Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6",
"refsource": "CONFIRM",
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6"
},
{
"name": "https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec",
"refsource": "MISC",
"url": "https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec"
},
{
"name": "https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca",
"refsource": "MISC",
"url": "https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca"
},
{
"name": "https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b",
"refsource": "MISC",
"url": "https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b"
}
]
},
"source": {
"advisory": "GHSA-66q9-f7ff-mmx6",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5280",
"datePublished": "2020-03-25T17:45:17",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}