CVE-2023-22465

04.01.2023, 16:15

Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs.  In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Vendor	Product	Version
typelevel	http4s	0.1.0 ≤ 𝑥 < 0.21.34
typelevel	http4s	0.22.0 ≤ 𝑥 < 0.22.15
typelevel	http4s	0.23.0 ≤ 𝑥 < 0.23.17
typelevel	http4s	1.0.0:milestone1
typelevel	http4s	1.0.0:milestone10
typelevel	http4s	1.0.0:milestone11
typelevel	http4s	1.0.0:milestone12
typelevel	http4s	1.0.0:milestone13
typelevel	http4s	1.0.0:milestone14
typelevel	http4s	1.0.0:milestone15
typelevel	http4s	1.0.0:milestone16
typelevel	http4s	1.0.0:milestone17
typelevel	http4s	1.0.0:milestone18
typelevel	http4s	1.0.0:milestone19
typelevel	http4s	1.0.0:milestone2
typelevel	http4s	1.0.0:milestone20
typelevel	http4s	1.0.0:milestone21
typelevel	http4s	1.0.0:milestone22
typelevel	http4s	1.0.0:milestone23
typelevel	http4s	1.0.0:milestone24
typelevel	http4s	1.0.0:milestone25
typelevel	http4s	1.0.0:milestone26
typelevel	http4s	1.0.0:milestone27
typelevel	http4s	1.0.0:milestone28
typelevel	http4s	1.0.0:milestone29
typelevel	http4s	1.0.0:milestone3
typelevel	http4s	1.0.0:milestone30
typelevel	http4s	1.0.0:milestone31
typelevel	http4s	1.0.0:milestone32
typelevel	http4s	1.0.0:milestone33
typelevel	http4s	1.0.0:milestone34
typelevel	http4s	1.0.0:milestone35
typelevel	http4s	1.0.0:milestone36
typelevel	http4s	1.0.0:milestone37
typelevel	http4s	1.0.0:milestone4
typelevel	http4s	1.0.0:milestone5
typelevel	http4s	1.0.0:milestone6
typelevel	http4s	1.0.0:milestone7
typelevel	http4s	1.0.0:milestone8
typelevel	http4s	1.0.0:milestone9

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f