CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
52.2%
http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (Header.name
å), Header values (Header.value
), Status reason phrases (Status.reason
), URI paths (Uri.Path
), URI authority registered names (URI.RegName
) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.
[
{
"product": "http4s",
"vendor": "http4s",
"versions": [
{
"status": "affected",
"version": "<= 0.21.28"
},
{
"status": "affected",
"version": ">= 0.22.0, < 0.22.5"
},
{
"status": "affected",
"version": ">= 0.23.0, < 0.23.4"
},
{
"status": "affected",
"version": ">= 1.0.0-M1, < 1.0.0-M27"
}
]
}
]
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
52.2%