CVE-2021-32643 (GCVE-0-2021-32643)
Vulnerability from cvelistv5
Published
2021-05-27 17:15
Modified
2024-08-03 23:25
Severity ?
5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs.
References
security-advisories@github.comhttps://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9Patch, Third Party Advisory
security-advisories@github.comhttps://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6Patch, Third Party Advisory
security-advisories@github.comhttps://mvnrepository.com/artifact/org.http4s/http4s-coreThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://mvnrepository.com/artifact/org.http4s/http4s-coreThird Party Advisory
Impacted products
Vendor Product Version
http4s http4s Version: >= 0.21.7, < 0.21.24
Version: >= 0.22.0-M1, <= 0.22.0-M8
Version: = 0.23.0-M1
Version: >= 1.0.0-M1, < 1.0.0-M23
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:25:30.936Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "http4s",
          "vendor": "http4s",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.21.7, \u003c 0.21.24"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.22.0-M1, \u003c= 0.22.0-M8"
            },
            {
              "status": "affected",
              "version": "= 0.23.0-M1"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.0.0-M1, \u003c 1.0.0-M23"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-05-27T17:15:11",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
        }
      ],
      "source": {
        "advisory": "GHSA-6h7w-fc84-x7p6",
        "discovery": "UNKNOWN"
      },
      "title": "StaticFile.fromUrl can leak presence of a directory",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32643",
          "STATE": "PUBLIC",
          "TITLE": "StaticFile.fromUrl can leak presence of a directory"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "http4s",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 0.21.7, \u003c 0.21.24"
                          },
                          {
                            "version_value": "\u003e= 0.22.0-M1, \u003c= 0.22.0-M8"
                          },
                          {
                            "version_value": "= 0.23.0-M1"
                          },
                          {
                            "version_value": "\u003e= 1.0.0-M1, \u003c 1.0.0-M23"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "http4s"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6",
              "refsource": "CONFIRM",
              "url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
            },
            {
              "name": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9",
              "refsource": "MISC",
              "url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
            },
            {
              "name": "https://mvnrepository.com/artifact/org.http4s/http4s-core",
              "refsource": "MISC",
              "url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-6h7w-fc84-x7p6",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-32643",
    "datePublished": "2021-05-27T17:15:11",
    "dateReserved": "2021-05-12T00:00:00",
    "dateUpdated": "2024-08-03T23:25:30.936Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-32643\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-05-27T18:15:07.903\",\"lastModified\":\"2024-11-21T06:07:26.607\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs.\"},{\"lang\":\"es\",\"value\":\"Http4s es una interfaz de Scala para servicios HTTP.\u0026#xa0;el directorio \\\"StaticFile.fromUrl\\\" puede filtrar la presencia de un directorio en un servidor cuando el esquema \\\"URL\\\" no es \\\"file://\\\", y la URL apunta a un recurso recuperable bajo su esquema y autoridad.\u0026#xa0;La funci\u00f3n devuelve \\\"F[None]\\\", indicando que no hay recurso, si \\\"url.getFile\\\" es un directorio, sin comprobar primero el esquema o la autoridad de la URL.\u0026#xa0;Si una conexi\u00f3n URL al esquema y la URL devolvieran una secuencia, y la ruta en la URL se presenta como un directorio en el servidor, la presencia del directorio en el servidor podr\u00eda inferirse de la respuesta 404.\u0026#xa0;No son expuestas los contenidos y otros metadatos sobre el directorio.\u0026#xa0;Esto afecta a versiones de http4s: versiones 0.21.7 hasta 0.21.23, 0.22.0-M1 hasta 0.22.0-M8, 0.23.0-M1 y versiones 1.0.0-M1 hasta 1.0.0-M22.\u0026#xa0;El [parche] (https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) est\u00e1 disponible en las siguientes versiones: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23.\u0026#xa0;Como soluci\u00f3n alternativa, los usuarios pueden evitar llamar a \\\"StaticFile.fromUrl\\\" con URL que no sean archivos\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":5.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":5.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.21.7\",\"versionEndExcluding\":\"0.21.24\",\"matchCriteriaId\":\"A89F91C5-C023-499F-92E9-6ABD29906F05\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:0.22.0:milestone1:*:*:*:*:*:*\",\"matchCriteriaId\":\"3F47AFA4-20AD-41C4-9693-D9BE51F61AD5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:0.22.0:milestone2:*:*:*:*:*:*\",\"matchCriteriaId\":\"277DD893-FCEC-494D-A25C-E4F1C0E2F30B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:0.22.0:milestone3:*:*:*:*:*:*\",\"matchCriteriaId\":\"8CAEF1DF-8A14-4C6A-AF85-B66B07E53BCB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:0.22.0:milestone4:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F4BFAA7-4295-4496-9883-410DAEEC2CE0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:0.22.0:milestone5:*:*:*:*:*:*\",\"matchCriteriaId\":\"5D2214A6-5A1F-4A89-9718-83D499D9A417\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:0.22.0:milestone6:*:*:*:*:*:*\",\"matchCriteriaId\":\"176031C5-37CA-4303-9222-6A5D1BA5982F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:0.22.0:milestone7:*:*:*:*:*:*\",\"matchCriteriaId\":\"F860AD98-AC2A-460C-A95A-DE044EE32AD2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:0.22.0:milestone8:*:*:*:*:*:*\",\"matchCriteriaId\":\"00D9D86C-BE0A-44FB-A242-6DF85C645591\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:0.23.0:milestone1:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2A29EBD-8832-45AE-8686-B1058AAF9476\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*\",\"matchCriteriaId\":\"65C497F9-281C-4565-BD36-B6B4D7E6F8BD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*\",\"matchCriteriaId\":\"6FCFC3E5-7530-4AAA-A2C7-36DC307B613B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*\",\"matchCriteriaId\":\"D03CBFE3-0B31-4D7C-BC5D-61DCD3C2C486\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*\",\"matchCriteriaId\":\"76F8BC53-544C-4285-8D9B-CB91AD080048\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*\",\"matchCriteriaId\":\"778947CA-20BA-469F-87E1-97D8713ACC75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*\",\"matchCriteriaId\":\"F5B02828-1E40-49BE-8367-10296625C696\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*\",\"matchCriteriaId\":\"A569F32F-3C8C-4F8F-B0BC-6ADC993596A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*\",\"matchCriteriaId\":\"525DBF4B-F574-459D-9CE2-6AF597ABAE10\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD05B15E-1E4F-43EA-B21A-3B96A77814D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*\",\"matchCriteriaId\":\"65C79F52-F05F-4F0A-AC27-393197B9EF00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*\",\"matchCriteriaId\":\"A426B4C0-643A-492F-B7FB-725549F613F6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*\",\"matchCriteriaId\":\"D95E231C-3D13-45FC-AF9A-CB8CF1FFC983\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*\",\"matchCriteriaId\":\"CF973F58-0AC7-4B58-A2CF-654133CE7F1A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*\",\"matchCriteriaId\":\"35C40331-C96C-477C-B6BD-D5506E612DA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*\",\"matchCriteriaId\":\"615BC827-3E0F-4C1E-8FD2-B59FF31F2D49\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*\",\"matchCriteriaId\":\"DE093D65-1B3A-4A4A-BC76-05DEF9529712\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*\",\"matchCriteriaId\":\"DC3CA618-148D-4F97-9913-316DDDD97838\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*\",\"matchCriteriaId\":\"02FA538C-9D8A-49D5-8268-1A2C3E96B89B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*\",\"matchCriteriaId\":\"D18A3ABC-5C47-45BF-978C-5BB17787DCFA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*\",\"matchCriteriaId\":\"1CE1CF51-E61A-418A-AB22-9D7A6D690BAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*\",\"matchCriteriaId\":\"29A70AAA-B77A-4291-A700-C910362DB8D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*\",\"matchCriteriaId\":\"9F8F3C38-57AB-4CBC-8959-7FF51CBA7907\"}]}]}],\"references\":[{\"url\":\"https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://mvnrepository.com/artifact/org.http4s/http4s-core\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://mvnrepository.com/artifact/org.http4s/http4s-core\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.