Vulnerability-Lookup

CVE-2021-32643 (GCVE-0-2021-32643)

Vulnerability from cvelistv5 – Published: 2021-05-27 17:15 – Updated: 2024-08-03 23:25

Title

StaticFile.fromUrl can leak presence of a directory

Summary

Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs.

Severity ?

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	http4s	http4s	Affected: >= 0.21.7, < 0.21.24 Affected: >= 0.22.0-M1, <= 0.22.0-M8 Affected: = 0.23.0-M1 Affected: >= 1.0.0-M1, < 1.0.0-M23

GSD-2021-32643

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-32643

Aliases

CVE-2021-32643

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-32643",
    "description": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs.",
    "id": "GSD-2021-32643"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-32643"
      ],
      "details": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs.",
      "id": "GSD-2021-32643",
      "modified": "2023-12-13T01:23:09.212176Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-32643",
        "STATE": "PUBLIC",
        "TITLE": "StaticFile.fromUrl can leak presence of a directory"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "http4s",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 0.21.7, \u003c 0.21.24"
                        },
                        {
                          "version_value": "\u003e= 0.22.0-M1, \u003c= 0.22.0-M8"
                        },
                        {
                          "version_value": "= 0.23.0-M1"
                        },
                        {
                          "version_value": "\u003e= 1.0.0-M1, \u003c 1.0.0-M23"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "http4s"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6",
            "refsource": "CONFIRM",
            "url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
          },
          {
            "name": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9",
            "refsource": "MISC",
            "url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
          },
          {
            "name": "https://mvnrepository.com/artifact/org.http4s/http4s-core",
            "refsource": "MISC",
            "url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-6h7w-fc84-x7p6",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[0.21.7,0.21.24),[0.22.0-M1,0.22.0-M8],[0.23.0-M1],[1.0.0-M1,1.0.0-M22]",
          "affected_versions": "All versions starting from 0.21.7 before 0.21.24, all versions starting from 0.22.0-m1 up to 0.22.0-m8, version 0.23.0-m1, all versions starting from 1.0.0-m1 up to 1.0.0-m22",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-937"
          ],
          "date": "2021-05-28",
          "description": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs.",
          "fixed_versions": [
            "0.21.24",
            "0.23.0-RC1",
            "1.0.0-M23"
          ],
          "identifier": "CVE-2021-32643",
          "identifiers": [
            "GHSA-6h7w-fc84-x7p6",
            "CVE-2021-32643"
          ],
          "not_impacted": "All versions before 0.21.7, all versions starting from 0.21.24 before 0.22.0-m1, all versions after 0.22.0-m8 before 0.23.0-m1, all versions after 0.23.0-m1 before 1.0.0-m1, all versions after 1.0.0-m22",
          "package_slug": "maven/org.http4s/http4s-core",
          "pubdate": "2021-05-28",
          "solution": "Upgrade to versions 0.21.24, 0.23.0-RC1, 1.0.0-M23 or above.",
          "title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
          "urls": [
            "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-32643",
            "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9",
            "https://github.com/advisories/GHSA-6h7w-fc84-x7p6"
          ],
          "uuid": "9a776217-2276-4544-a48b-776e8f03ee31"
        },
        {
          "affected_range": "[0.21.7,0.21.24),[0.22.0,0.23.0],[1.0.0]",
          "affected_versions": "All versions starting from 0.21.7 before 0.21.24, all versions starting from 0.22.0 up to 0.23.0, version 1.0.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-22",
            "CWE-937"
          ],
          "date": "2021-06-10",
          "description": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the response. The contents and other metadata about the directory are not exposed.",
          "fixed_versions": [
            "1.0.0-M23"
          ],
          "identifier": "CVE-2021-32643",
          "identifiers": [
            "CVE-2021-32643",
            "GHSA-6h7w-fc84-x7p6"
          ],
          "not_impacted": "All versions starting from 1.0.0-M23.",
          "package_slug": "maven/org.http4s/http4s-core_2.12",
          "pubdate": "2021-05-27",
          "solution": "Upgrade to versions 1.0.0-M23 or above.",
          "title": "Path Traversal",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-32643"
          ],
          "uuid": "c11ab48e-5904-4acf-a32e-2f738a84e208"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.21.24",
                "versionStartIncluding": "0.21.7",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone5:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone6:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone7:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone8:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:0.23.0:milestone1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32643"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
            },
            {
              "name": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
            },
            {
              "name": "https://mvnrepository.com/artifact/org.http4s/http4s-core",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2021-06-10T13:32Z",
      "publishedDate": "2021-05-27T18:15Z"
    }
  }
}

GHSA-6H7W-FC84-X7P6

Vulnerability from github – Published: 2021-05-28 15:54 – Updated: 2021-05-27 21:17

Summary

StaticFile.fromUrl can leak presence of a directory

Details

Impact

StaticFile.fromUrl can leak the presence of a directory on a server when the URL scheme is not file://, and the URL points to a fetchable resource under its scheme and authority. The function returns F[None], indicating no resource, if url.getFile is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed.

This affects http4s versions: * 0.21.7 through 0.21.23 * 0.22.0-M1 through 0.22.0-M8 * 0.23.0-M1 * 1.0.0-M1 through 1.0.0-M22

Patches

The patch is available in the following versions:

v0.21.24
v0.22.0-RC1
v0.23.0-RC1
v1.0.0-M23

Note: a previous version of this advisory incorrectly referred to 0.22.0-M9 and 0.23.0-M2.

Workarounds

Don't call StaticFile.fromUrl with non-file URLs.

For more information

If you have any questions or comments about this advisory: * Open an issue in the http4s repository * Disclose further vulnerabilities according to the http4s security policy

Severity ?

5.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4s:http4s-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.21.7"
            },
            {
              "fixed": "0.21.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.22.0-M8"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4s:http4s-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.22.0-M1"
            },
            {
              "fixed": "0.22.0-RC1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4s:http4s-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.23.0-M1"
            },
            {
              "fixed": "0.23.0-RC1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.23.0-M1"
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.0-M22"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4s:http4s-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0-M1"
            },
            {
              "fixed": "1.0.0-M23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32643"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-27T21:17:06Z",
    "nvd_published_at": "2021-05-27T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n`StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority.  The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL.  If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response.  The contents and other metadata about the directory are not exposed.\n\nThis affects http4s versions:\n* 0.21.7 through 0.21.23\n* 0.22.0-M1 through 0.22.0-M8\n* 0.23.0-M1\n* 1.0.0-M1 through 1.0.0-M22\n\n### Patches\n\nThe [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions:\n\n* v0.21.24\n* v0.22.0-RC1\n* v0.23.0-RC1\n* v1.0.0-M23\n\nNote: a previous version of this advisory incorrectly referred to 0.22.0-M9 and 0.23.0-M2.\n\n### Workarounds\n\nDon\u0027t call `StaticFile.fromUrl` with non-file URLs.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [the http4s repository](https://github.com/http4s/http4s)\n* Disclose further vulnerabilities according to the [http4s security policy](https://github.com/http4s/http4s/blob/main/SECURITY.md)\n",
  "id": "GHSA-6h7w-fc84-x7p6",
  "modified": "2021-05-27T21:17:06Z",
  "published": "2021-05-28T15:54:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32643"
    },
    {
      "type": "WEB",
      "url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
    },
    {
      "type": "WEB",
      "url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "StaticFile.fromUrl can leak presence of a directory"
}

CNVD-2021-44963

Vulnerability from cnvd - Published: 2021-06-25

Title

Http4s路径遍历漏洞（CNVD-2021-44963）

Description

Http4s是一款开源的用于Scala的流HTTP服务器。 Http4s存在路径遍历漏洞，攻击者可利用该漏洞获取敏感信息。

Severity

中

Patch Name

Http4s路径遍历漏洞（CNVD-2021-44963）的补丁

Patch Description

Http4s是一款开源的用于Scala的流HTTP服务器。 Http4s存在路径遍历漏洞，攻击者可利用该漏洞获取敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-32643

Impacted products

Name
['http4s http4s >=0.21.7，<=0.21.23', 'http4s http4s >=0.22.0-M1，<=0.22.0-M8', 'http4s http4s >=0.23.0-M1', 'http4s http4s >=1.0.0-M1，<=1.0.0-M22']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-32643"
    }
  },
  "description": "Http4s\u662f\u4e00\u6b3e\u5f00\u6e90\u7684\u7528\u4e8eScala\u7684\u6d41HTTP\u670d\u52a1\u5668\u3002\n\nHttp4s\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-44963",
  "openTime": "2021-06-25",
  "patchDescription": "Http4s\u662f\u4e00\u6b3e\u5f00\u6e90\u7684\u7528\u4e8eScala\u7684\u6d41HTTP\u670d\u52a1\u5668\u3002\r\n\r\nHttp4s\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Http4s\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff08CNVD-2021-44963\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "http4s http4s \u003e=0.21.7\uff0c\u003c=0.21.23",
      "http4s http4s \u003e=0.22.0-M1\uff0c\u003c=0.22.0-M8",
      "http4s http4s \u003e=0.23.0-M1",
      "http4s http4s \u003e=1.0.0-M1\uff0c\u003c=1.0.0-M22"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-32643",
  "serverity": "\u4e2d",
  "submitTime": "2021-05-28",
  "title": "Http4s\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff08CNVD-2021-44963\uff09"
}

FKIE_CVE-2021-32643

Vulnerability from fkie_nvd - Published: 2021-05-27 18:15 - Updated: 2024-11-21 06:07

Severity ?

5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6	Patch, Third Party Advisory
security-advisories@github.com	https://mvnrepository.com/artifact/org.http4s/http4s-core	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://mvnrepository.com/artifact/org.http4s/http4s-core	Third Party Advisory

Impacted products

Vendor	Product	Version
typelevel	http4s	*
typelevel	http4s	0.22.0
typelevel	http4s	0.22.0
typelevel	http4s	0.22.0
typelevel	http4s	0.22.0
typelevel	http4s	0.22.0
typelevel	http4s	0.22.0
typelevel	http4s	0.22.0
typelevel	http4s	0.22.0
typelevel	http4s	0.23.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A89F91C5-C023-499F-92E9-6ABD29906F05",
              "versionEndExcluding": "0.21.24",
              "versionStartIncluding": "0.21.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone1:*:*:*:*:*:*",
              "matchCriteriaId": "3F47AFA4-20AD-41C4-9693-D9BE51F61AD5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone2:*:*:*:*:*:*",
              "matchCriteriaId": "277DD893-FCEC-494D-A25C-E4F1C0E2F30B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone3:*:*:*:*:*:*",
              "matchCriteriaId": "8CAEF1DF-8A14-4C6A-AF85-B66B07E53BCB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone4:*:*:*:*:*:*",
              "matchCriteriaId": "5F4BFAA7-4295-4496-9883-410DAEEC2CE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone5:*:*:*:*:*:*",
              "matchCriteriaId": "5D2214A6-5A1F-4A89-9718-83D499D9A417",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone6:*:*:*:*:*:*",
              "matchCriteriaId": "176031C5-37CA-4303-9222-6A5D1BA5982F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone7:*:*:*:*:*:*",
              "matchCriteriaId": "F860AD98-AC2A-460C-A95A-DE044EE32AD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone8:*:*:*:*:*:*",
              "matchCriteriaId": "00D9D86C-BE0A-44FB-A242-6DF85C645591",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.23.0:milestone1:*:*:*:*:*:*",
              "matchCriteriaId": "C2A29EBD-8832-45AE-8686-B1058AAF9476",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*",
              "matchCriteriaId": "65C497F9-281C-4565-BD36-B6B4D7E6F8BD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*",
              "matchCriteriaId": "6FCFC3E5-7530-4AAA-A2C7-36DC307B613B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*",
              "matchCriteriaId": "D03CBFE3-0B31-4D7C-BC5D-61DCD3C2C486",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*",
              "matchCriteriaId": "76F8BC53-544C-4285-8D9B-CB91AD080048",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*",
              "matchCriteriaId": "778947CA-20BA-469F-87E1-97D8713ACC75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*",
              "matchCriteriaId": "F5B02828-1E40-49BE-8367-10296625C696",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*",
              "matchCriteriaId": "A569F32F-3C8C-4F8F-B0BC-6ADC993596A9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*",
              "matchCriteriaId": "525DBF4B-F574-459D-9CE2-6AF597ABAE10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*",
              "matchCriteriaId": "FD05B15E-1E4F-43EA-B21A-3B96A77814D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*",
              "matchCriteriaId": "65C79F52-F05F-4F0A-AC27-393197B9EF00",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*",
              "matchCriteriaId": "A426B4C0-643A-492F-B7FB-725549F613F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*",
              "matchCriteriaId": "D95E231C-3D13-45FC-AF9A-CB8CF1FFC983",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*",
              "matchCriteriaId": "CF973F58-0AC7-4B58-A2CF-654133CE7F1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*",
              "matchCriteriaId": "35C40331-C96C-477C-B6BD-D5506E612DA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*",
              "matchCriteriaId": "615BC827-3E0F-4C1E-8FD2-B59FF31F2D49",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*",
              "matchCriteriaId": "DE093D65-1B3A-4A4A-BC76-05DEF9529712",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*",
              "matchCriteriaId": "DC3CA618-148D-4F97-9913-316DDDD97838",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*",
              "matchCriteriaId": "02FA538C-9D8A-49D5-8268-1A2C3E96B89B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*",
              "matchCriteriaId": "D18A3ABC-5C47-45BF-978C-5BB17787DCFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*",
              "matchCriteriaId": "1CE1CF51-E61A-418A-AB22-9D7A6D690BAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*",
              "matchCriteriaId": "29A70AAA-B77A-4291-A700-C910362DB8D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*",
              "matchCriteriaId": "9F8F3C38-57AB-4CBC-8959-7FF51CBA7907",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs."
    },
    {
      "lang": "es",
      "value": "Http4s es una interfaz de Scala para servicios HTTP.\u0026#xa0;el directorio \"StaticFile.fromUrl\" puede filtrar la presencia de un directorio en un servidor cuando el esquema \"URL\" no es \"file://\", y la URL apunta a un recurso recuperable bajo su esquema y autoridad.\u0026#xa0;La funci\u00f3n devuelve \"F[None]\", indicando que no hay recurso, si \"url.getFile\" es un directorio, sin comprobar primero el esquema o la autoridad de la URL.\u0026#xa0;Si una conexi\u00f3n URL al esquema y la URL devolvieran una secuencia, y la ruta en la URL se presenta como un directorio en el servidor, la presencia del directorio en el servidor podr\u00eda inferirse de la respuesta 404.\u0026#xa0;No son expuestas los contenidos y otros metadatos sobre el directorio.\u0026#xa0;Esto afecta a versiones de http4s: versiones 0.21.7 hasta 0.21.23, 0.22.0-M1 hasta 0.22.0-M8, 0.23.0-M1 y versiones 1.0.0-M1 hasta 1.0.0-M22.\u0026#xa0;El [parche] (https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) est\u00e1 disponible en las siguientes versiones: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23.\u0026#xa0;Como soluci\u00f3n alternativa, los usuarios pueden evitar llamar a \"StaticFile.fromUrl\" con URL que no sean archivos"
    }
  ],
  "id": "CVE-2021-32643",
  "lastModified": "2024-11-21T06:07:26.607",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-05-27T18:15:07.903",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-32643 (GCVE-0-2021-32643)

GSD-2021-32643

GHSA-6H7W-FC84-X7P6

Impact

Patches

Workarounds

For more information

CNVD-2021-44963

FKIE_CVE-2021-32643

Tags

Sightings

Nomenclature