Lucene search

GitHub_MCVE-2021-41084

HistorySep 21, 2021 - 6:15 p.m.

CVE-2021-41084

2021-09-2118:15:07

CWE-918

CWE-74

GitHub_M

web.nvd.nist.gov

http4s

scala

http

vulnerability

cve-2021-41084

security

nvd

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

AI Score

4.7

Confidence

High

EPSS

0.002

Percentile

52.2%

JSON

http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (Header.nameå), Header values (Header.value), Status reason phrases (Status.reason), URI paths (Uri.Path), URI authority registered names (URI.RegName) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.

Affected configurations

Nvd

Vulners

Node

typelevelhttp4sRange<0.21.29

typelevelhttp4sRange0.22.0–0.22.5

typelevelhttp4sRange0.23.0–0.23.4

typelevelhttp4sMatch1.0.0milestone1

typelevelhttp4sMatch1.0.0milestone10

typelevelhttp4sMatch1.0.0milestone11

typelevelhttp4sMatch1.0.0milestone12

typelevelhttp4sMatch1.0.0milestone13

typelevelhttp4sMatch1.0.0milestone14

typelevelhttp4sMatch1.0.0milestone15

typelevelhttp4sMatch1.0.0milestone16

typelevelhttp4sMatch1.0.0milestone17

typelevelhttp4sMatch1.0.0milestone18

typelevelhttp4sMatch1.0.0milestone19

typelevelhttp4sMatch1.0.0milestone2

typelevelhttp4sMatch1.0.0milestone20

typelevelhttp4sMatch1.0.0milestone21

typelevelhttp4sMatch1.0.0milestone22

typelevelhttp4sMatch1.0.0milestone23

typelevelhttp4sMatch1.0.0milestone24

typelevelhttp4sMatch1.0.0milestone25

typelevelhttp4sMatch1.0.0milestone26

typelevelhttp4sMatch1.0.0milestone3

typelevelhttp4sMatch1.0.0milestone4

typelevelhttp4sMatch1.0.0milestone5

typelevelhttp4sMatch1.0.0milestone6

typelevelhttp4sMatch1.0.0milestone7

typelevelhttp4sMatch1.0.0milestone8

typelevelhttp4sMatch1.0.0milestone9

VendorProductVersionCPE
typelevelhttp4s*cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*

Vendor	Product	Version	CPE
typelevel	http4s	*	cpe:2.3:a:typelevel:http4s::::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone1::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone10::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone11::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone12::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone13::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone14::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone15::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone16::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone17::::::

Rows per page:

1-10 of 271

CNA Affected

[
  {
    "product": "http4s",
    "vendor": "http4s",
    "versions": [
      {
        "status": "affected",
        "version": "<= 0.21.28"
      },
      {
        "status": "affected",
        "version": ">= 0.22.0, < 0.22.5"
      },
      {
        "status": "affected",
        "version": ">= 0.23.0, < 0.23.4"
      },
      {
        "status": "affected",
        "version": ">= 1.0.0-M1, < 1.0.0-M27"
      }
    ]
  }
]

References

github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8

github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3

httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values

owasp.org/www-community/attacks/HTTP_Response_Splitting

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

AI Score

4.7

Confidence

High

EPSS

0.002

Percentile

52.2%

JSON

Related for CVE-2021-41084