Lucene search

GitHub_MCVE-2023-22465

HistoryJan 04, 2023 - 4:15 p.m.

CVE-2023-22465

2023-01-0416:15:09

CWE-20

GitHub_M

web.nvd.nist.gov

cve

2023

22465

http4s

scala

http services

user-agent

server header

vulnerability

update

nvd

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

33.4%

JSON

Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the User-Agent and Server header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface.

Affected configurations

Nvd

Vulners

Node

typelevelhttp4sRange0.1.0–0.21.34

typelevelhttp4sRange0.22.0–0.22.15

typelevelhttp4sRange0.23.0–0.23.17

typelevelhttp4sMatch1.0.0milestone1

typelevelhttp4sMatch1.0.0milestone10

typelevelhttp4sMatch1.0.0milestone11

typelevelhttp4sMatch1.0.0milestone12

typelevelhttp4sMatch1.0.0milestone13

typelevelhttp4sMatch1.0.0milestone14

typelevelhttp4sMatch1.0.0milestone15

typelevelhttp4sMatch1.0.0milestone16

typelevelhttp4sMatch1.0.0milestone17

typelevelhttp4sMatch1.0.0milestone18

typelevelhttp4sMatch1.0.0milestone19

typelevelhttp4sMatch1.0.0milestone2

typelevelhttp4sMatch1.0.0milestone20

typelevelhttp4sMatch1.0.0milestone21

typelevelhttp4sMatch1.0.0milestone22

typelevelhttp4sMatch1.0.0milestone23

typelevelhttp4sMatch1.0.0milestone24

typelevelhttp4sMatch1.0.0milestone25

typelevelhttp4sMatch1.0.0milestone26

typelevelhttp4sMatch1.0.0milestone27

typelevelhttp4sMatch1.0.0milestone28

typelevelhttp4sMatch1.0.0milestone29

typelevelhttp4sMatch1.0.0milestone3

typelevelhttp4sMatch1.0.0milestone30

typelevelhttp4sMatch1.0.0milestone31

typelevelhttp4sMatch1.0.0milestone32

typelevelhttp4sMatch1.0.0milestone33

typelevelhttp4sMatch1.0.0milestone34

typelevelhttp4sMatch1.0.0milestone35

typelevelhttp4sMatch1.0.0milestone36

typelevelhttp4sMatch1.0.0milestone37

typelevelhttp4sMatch1.0.0milestone4

typelevelhttp4sMatch1.0.0milestone5

typelevelhttp4sMatch1.0.0milestone6

typelevelhttp4sMatch1.0.0milestone7

typelevelhttp4sMatch1.0.0milestone8

typelevelhttp4sMatch1.0.0milestone9

VendorProductVersionCPE
typelevelhttp4s*cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*
typelevelhttp4s1.0.0cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*

Vendor	Product	Version	CPE
typelevel	http4s	*	cpe:2.3:a:typelevel:http4s::::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone1::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone10::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone11::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone12::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone13::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone14::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone15::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone16::::::
typelevel	http4s	1.0.0	cpe:2.3:a:typelevel:http4s:1.0.0:milestone17::::::

Rows per page:

1-10 of 381

CNA Affected

[
  {
    "vendor": "http4s",
    "product": "http4s",
    "versions": [
      {
        "version": ">= 0.1.0, < 0.21.34",
        "status": "affected"
      },
      {
        "version": ">= 0.22.0, < 0.22.15",
        "status": "affected"
      },
      {
        "version": ">= 0.23.0, < 0.23.17",
        "status": "affected"
      },
      {
        "version": ">= 1.0.0-M1, < 1.0.0-M38",
        "status": "affected"
      }
    ]
  }
]

References

github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

33.4%

JSON

Related for CVE-2023-22465