CVE-2021-32643

Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.8 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
GitHub_MCNA
5.8 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
typelevelhttp4s
0.21.7 ≤
𝑥
< 0.21.24
typelevelhttp4s
0.22.0:milestone1
typelevelhttp4s
0.22.0:milestone2
typelevelhttp4s
0.22.0:milestone3
typelevelhttp4s
0.22.0:milestone4
typelevelhttp4s
0.22.0:milestone5
typelevelhttp4s
0.22.0:milestone6
typelevelhttp4s
0.22.0:milestone7
typelevelhttp4s
0.22.0:milestone8
typelevelhttp4s
0.23.0:milestone1
typelevelhttp4s
1.0.0:milestone1
typelevelhttp4s
1.0.0:milestone10
typelevelhttp4s
1.0.0:milestone11
typelevelhttp4s
1.0.0:milestone12
typelevelhttp4s
1.0.0:milestone13
typelevelhttp4s
1.0.0:milestone14
typelevelhttp4s
1.0.0:milestone15
typelevelhttp4s
1.0.0:milestone16
typelevelhttp4s
1.0.0:milestone17
typelevelhttp4s
1.0.0:milestone18
typelevelhttp4s
1.0.0:milestone19
typelevelhttp4s
1.0.0:milestone2
typelevelhttp4s
1.0.0:milestone20
typelevelhttp4s
1.0.0:milestone21
typelevelhttp4s
1.0.0:milestone22
typelevelhttp4s
1.0.0:milestone3
typelevelhttp4s
1.0.0:milestone4
typelevelhttp4s
1.0.0:milestone5
typelevelhttp4s
1.0.0:milestone6
typelevelhttp4s
1.0.0:milestone7
typelevelhttp4s
1.0.0:milestone8
typelevelhttp4s
1.0.0:milestone9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9
https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6
https://mvnrepository.com/artifact/org.http4s/http4s-core
https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9
https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6
https://mvnrepository.com/artifact/org.http4s/http4s-core