cvelistv5 - CVE-2021-41084

CVE-2021-41084 (GCVE-0-2021-41084)

Vulnerability from cvelistv5 – Published: 2021-09-21 17:20 – Updated: 2024-08-04 02:59

Summary

http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`å), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.

Severity ?

8.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/http4s/http4s/security/advisor…	x_refsource_CONFIRM
	https://github.com/http4s/http4s/commit/d02007db1…	x_refsource_MISC
	https://httpwg.org/http-core/draft-ietf-httpbis-s…	x_refsource_MISC
	https://owasp.org/www-community/attacks/HTTP_Resp…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	http4s	http4s	Affected: <= 0.21.28 Affected: >= 0.22.0, < 0.22.5 Affected: >= 0.23.0, < 0.23.4 Affected: >= 1.0.0-M1, < 1.0.0-M27

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:59:31.504Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "http4s",
          "vendor": "http4s",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 0.21.28"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.22.0, \u003c 0.22.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.23.0, \u003c 0.23.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.0.0-M1, \u003c 1.0.0-M27"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-09-21T17:20:14",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
        }
      ],
      "source": {
        "advisory": "GHSA-5vcm-3xc3-w7x3",
        "discovery": "UNKNOWN"
      },
      "title": "Response Splitting from unsanitized headers in http4s",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41084",
          "STATE": "PUBLIC",
          "TITLE": "Response Splitting from unsanitized headers in http4s"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "http4s",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c= 0.21.28"
                          },
                          {
                            "version_value": "\u003e= 0.22.0, \u003c 0.22.5"
                          },
                          {
                            "version_value": "\u003e= 0.23.0, \u003c 0.23.4"
                          },
                          {
                            "version_value": "\u003e= 1.0.0-M1, \u003c 1.0.0-M27"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "http4s"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-918: Server-Side Request Forgery (SSRF)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3",
              "refsource": "CONFIRM",
              "url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"
            },
            {
              "name": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8",
              "refsource": "MISC",
              "url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"
            },
            {
              "name": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values",
              "refsource": "MISC",
              "url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"
            },
            {
              "name": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting",
              "refsource": "MISC",
              "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-5vcm-3xc3-w7x3",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41084",
    "datePublished": "2021-09-21T17:20:14",
    "dateReserved": "2021-09-15T00:00:00",
    "dateUpdated": "2024-08-04T02:59:31.504Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.21.29\", \"matchCriteriaId\": \"B0B6AFB9-30AE-4CB0-98E8-80E2066211CD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.22.0\", \"versionEndExcluding\": \"0.22.5\", \"matchCriteriaId\": \"B0D7EA70-14A9-4DB3-B96C-2FA713040D65\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.23.0\", \"versionEndExcluding\": \"0.23.4\", \"matchCriteriaId\": \"9A613C47-29E5-484C-AEBF-C3B5EB5ED3CF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*\", \"matchCriteriaId\": \"65C497F9-281C-4565-BD36-B6B4D7E6F8BD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*\", \"matchCriteriaId\": \"6FCFC3E5-7530-4AAA-A2C7-36DC307B613B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*\", \"matchCriteriaId\": \"D03CBFE3-0B31-4D7C-BC5D-61DCD3C2C486\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*\", \"matchCriteriaId\": \"76F8BC53-544C-4285-8D9B-CB91AD080048\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*\", \"matchCriteriaId\": \"778947CA-20BA-469F-87E1-97D8713ACC75\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*\", \"matchCriteriaId\": \"F5B02828-1E40-49BE-8367-10296625C696\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*\", \"matchCriteriaId\": \"A569F32F-3C8C-4F8F-B0BC-6ADC993596A9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*\", \"matchCriteriaId\": \"525DBF4B-F574-459D-9CE2-6AF597ABAE10\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*\", \"matchCriteriaId\": \"FD05B15E-1E4F-43EA-B21A-3B96A77814D6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*\", \"matchCriteriaId\": \"65C79F52-F05F-4F0A-AC27-393197B9EF00\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*\", \"matchCriteriaId\": \"A426B4C0-643A-492F-B7FB-725549F613F6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*\", \"matchCriteriaId\": \"D95E231C-3D13-45FC-AF9A-CB8CF1FFC983\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*\", \"matchCriteriaId\": \"CF973F58-0AC7-4B58-A2CF-654133CE7F1A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*\", \"matchCriteriaId\": \"35C40331-C96C-477C-B6BD-D5506E612DA8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*\", \"matchCriteriaId\": \"615BC827-3E0F-4C1E-8FD2-B59FF31F2D49\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone23:*:*:*:*:*:*\", \"matchCriteriaId\": \"FDFB35FD-4D08-4895-B1B6-FC03BCB3EB22\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone24:*:*:*:*:*:*\", \"matchCriteriaId\": \"97F74D04-031E-47D4-BA57-DBE9C74CE256\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone25:*:*:*:*:*:*\", \"matchCriteriaId\": \"2FDC2E12-DE86-4A82-BD2F-C18F715CA673\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone26:*:*:*:*:*:*\", \"matchCriteriaId\": \"C1C18467-5FD0-4DCC-8B75-979C03BFF1C4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*\", \"matchCriteriaId\": \"DE093D65-1B3A-4A4A-BC76-05DEF9529712\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*\", \"matchCriteriaId\": \"DC3CA618-148D-4F97-9913-316DDDD97838\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*\", \"matchCriteriaId\": \"02FA538C-9D8A-49D5-8268-1A2C3E96B89B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*\", \"matchCriteriaId\": \"D18A3ABC-5C47-45BF-978C-5BB17787DCFA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*\", \"matchCriteriaId\": \"1CE1CF51-E61A-418A-AB22-9D7A6D690BAA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*\", \"matchCriteriaId\": \"29A70AAA-B77A-4291-A700-C910362DB8D4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*\", \"matchCriteriaId\": \"9F8F3C38-57AB-4CBC-8959-7FF51CBA7907\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.\"}, {\"lang\": \"es\", \"value\": \"http4s es una interfaz scala de c\\u00f3digo abierto para HTTP. En las versiones afectadas, http4s es vulnerable a ataques de divisi\\u00f3n de respuestas o de peticiones cuando entradas de usuario no confiables son usadas para crear cualquiera de los siguientes campos: Header names (\\\"Header.name\\\"), Header values (\\\"Header.value\\\"), Status reason phrases (\\\"Status.reason\\\"), URI paths (\\\"Uri.Path\\\"), URI authority registered names (\\\"URI.RegName\\\") (versiones hasta 0.21). Este problema ha sido resuelto en versiones 0.21.30, 0.22.5, 0.23.4 y 1.0.0-M27 llevan a cabo lo siguiente. Como cuesti\\u00f3n de pr\\u00e1ctica, los servicios http4s y las aplicaciones cliente deber\\u00edan sanear cualquier entrada del usuario en los campos mencionados antes de devolver una petici\\u00f3n o respuesta al backend. Los caracteres carriage return, newline y null son los m\\u00e1s amenazantes\"}]",
      "id": "CVE-2021-41084",
      "lastModified": "2024-11-21T06:25:25.353",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N\", \"baseScore\": 8.7, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 5.8}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N\", \"baseScore\": 4.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2021-09-21T18:15:07.427",
      "references": "[{\"url\": \"https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://owasp.org/www-community/attacks/HTTP_Response_Splitting\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://owasp.org/www-community/attacks/HTTP_Response_Splitting\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-918\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-74\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-41084\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-09-21T18:15:07.427\",\"lastModified\":\"2024-11-21T06:25:25.353\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.\"},{\"lang\":\"es\",\"value\":\"http4s es una interfaz scala de c\u00f3digo abierto para HTTP. En las versiones afectadas, http4s es vulnerable a ataques de divisi\u00f3n de respuestas o de peticiones cuando entradas de usuario no confiables son usadas para crear cualquiera de los siguientes campos: Header names (\\\"Header.name\\\"), Header values (\\\"Header.value\\\"), Status reason phrases (\\\"Status.reason\\\"), URI paths (\\\"Uri.Path\\\"), URI authority registered names (\\\"URI.RegName\\\") (versiones hasta 0.21). Este problema ha sido resuelto en versiones 0.21.30, 0.22.5, 0.23.4 y 1.0.0-M27 llevan a cabo lo siguiente. Como cuesti\u00f3n de pr\u00e1ctica, los servicios http4s y las aplicaciones cliente deber\u00edan sanear cualquier entrada del usuario en los campos mencionados antes de devolver una petici\u00f3n o respuesta al backend. Los caracteres carriage return, newline y null son los m\u00e1s amenazantes\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.21.29\",\"matchCriteriaId\":\"B0B6AFB9-30AE-4CB0-98E8-80E2066211CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.22.0\",\"versionEndExcluding\":\"0.22.5\",\"matchCriteriaId\":\"B0D7EA70-14A9-4DB3-B96C-2FA713040D65\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.23.0\",\"versionEndExcluding\":\"0.23.4\",\"matchCriteriaId\":\"9A613C47-29E5-484C-AEBF-C3B5EB5ED3CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*\",\"matchCriteriaId\":\"65C497F9-281C-4565-BD36-B6B4D7E6F8BD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*\",\"matchCriteriaId\":\"6FCFC3E5-7530-4AAA-A2C7-36DC307B613B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*\",\"matchCriteriaId\":\"D03CBFE3-0B31-4D7C-BC5D-61DCD3C2C486\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*\",\"matchCriteriaId\":\"76F8BC53-544C-4285-8D9B-CB91AD080048\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*\",\"matchCriteriaId\":\"778947CA-20BA-469F-87E1-97D8713ACC75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*\",\"matchCriteriaId\":\"F5B02828-1E40-49BE-8367-10296625C696\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*\",\"matchCriteriaId\":\"A569F32F-3C8C-4F8F-B0BC-6ADC993596A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*\",\"matchCriteriaId\":\"525DBF4B-F574-459D-9CE2-6AF597ABAE10\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD05B15E-1E4F-43EA-B21A-3B96A77814D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*\",\"matchCriteriaId\":\"65C79F52-F05F-4F0A-AC27-393197B9EF00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*\",\"matchCriteriaId\":\"A426B4C0-643A-492F-B7FB-725549F613F6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*\",\"matchCriteriaId\":\"D95E231C-3D13-45FC-AF9A-CB8CF1FFC983\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*\",\"matchCriteriaId\":\"CF973F58-0AC7-4B58-A2CF-654133CE7F1A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*\",\"matchCriteriaId\":\"35C40331-C96C-477C-B6BD-D5506E612DA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*\",\"matchCriteriaId\":\"615BC827-3E0F-4C1E-8FD2-B59FF31F2D49\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone23:*:*:*:*:*:*\",\"matchCriteriaId\":\"FDFB35FD-4D08-4895-B1B6-FC03BCB3EB22\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone24:*:*:*:*:*:*\",\"matchCriteriaId\":\"97F74D04-031E-47D4-BA57-DBE9C74CE256\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone25:*:*:*:*:*:*\",\"matchCriteriaId\":\"2FDC2E12-DE86-4A82-BD2F-C18F715CA673\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone26:*:*:*:*:*:*\",\"matchCriteriaId\":\"C1C18467-5FD0-4DCC-8B75-979C03BFF1C4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*\",\"matchCriteriaId\":\"DE093D65-1B3A-4A4A-BC76-05DEF9529712\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*\",\"matchCriteriaId\":\"DC3CA618-148D-4F97-9913-316DDDD97838\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*\",\"matchCriteriaId\":\"02FA538C-9D8A-49D5-8268-1A2C3E96B89B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*\",\"matchCriteriaId\":\"D18A3ABC-5C47-45BF-978C-5BB17787DCFA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*\",\"matchCriteriaId\":\"1CE1CF51-E61A-418A-AB22-9D7A6D690BAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*\",\"matchCriteriaId\":\"29A70AAA-B77A-4291-A700-C910362DB8D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*\",\"matchCriteriaId\":\"9F8F3C38-57AB-4CBC-8959-7FF51CBA7907\"}]}]}],\"references\":[{\"url\":\"https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://owasp.org/www-community/attacks/HTTP_Response_Splitting\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://owasp.org/www-community/attacks/HTTP_Response_Splitting\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

GHSA-5VCM-3XC3-W7X3

Vulnerability from github – Published: 2021-09-22 19:18 – Updated: 2022-10-25 20:24

Summary

Response Splitting from unsanitized headers

Details

Impact

http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields:

Header names (Header.nameå
Header values (Header.value)
Status reason phrases (Status.reason)
URI paths (Uri.Path)
URI authority registered names (URI.RegName) (through 0.21)

The following backends render invalid carriage return, newline, or null characters in an unsafe fashion.

	blaze-server	ember-server	blaze-client	ember-client	jetty-client
header names	⚠	⚠	⚠	⚠	⚠
header values	⚠	⚠	⚠	⚠
status reasons	⚠	⚠
URI paths			⚠	⚠
URI regnames			⚠ < 0.22	⚠ < 0.22

For example, given the following service:

import cats.effect._
import org.http4s._
import org.http4s.dsl.io._
import org.http4s.server.blaze.BlazeServerBuilder
import scala.concurrent.ExecutionContext.global

object ResponseSplit extends IOApp {
  override def run(args: List[String]): IO[ExitCode] =
    BlazeServerBuilder[IO](global)
      .bindHttp(8080)
      .withHttpApp(httpApp)
      .resource
      .use(_ => IO.never)

  val httpApp: HttpApp[IO] =
    HttpApp[IO] { req =>
      req.params.get("author") match {
        case Some(author) =>
          Ok("The real content")
            .map(_.putHeaders(Header("Set-Cookie", s"author=${author}")))
        case None =>
          BadRequest("No author parameter")
      }
    }
}

A clean author parameter returns a clean response:

curl -i 'http://localhost:8080/?author=Ross'

HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Set-Cookie: author=Ross
Date: Mon, 20 Sep 2021 04:12:10 GMT
Content-Length: 16

The real content

A malicious author parameter allows a user-agent to hijack the response from our server and return different content:

curl -i 'http://localhost:8080/?author=hax0r%0d%0aContent-Length:+13%0d%0a%0aI+hacked+you'

HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Set-Cookie: author=hax0r
Content-Length: 13

I hacked you

Patches

Versions 0.21.29, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following:

If a status reasoon phrase is invalid, it is dropped. Rendering is optional per spec.
If a header name is invalid in a request or response, the header is dropped. There is no way to generically sanitize a header without potentially shadowing a correct one.
If a header value is invalid in a request or response, it is sanitized by replacing null (\u0000), carriage return (\r), and newline (\n) with space () characters per spec.
If a URI path or registered name is invalid in a request line, the client raises an IllegalArgumentException.
If a URI registered name is invalid in a host header, the client raises an IllegalArgumentException.

Workarounds

http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.

Not all backends were affected: jetty-server, tomcat-server, armeria, and netty on the server; async-http-client, okhttp-client, armeria, and netty as clients.

References

https://owasp.org/www-community/attacks/HTTP_Response_Splitting
https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values

For more information

If you have any questions or comments about this advisory: * Open an issue in GitHub * Contact us via the http4s security policy

Severity ?

8.7 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.21.28"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4s:http4s-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.21.29"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.21.28"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4s:http4s-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.21.29"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.22.4"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4s:http4s-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.22.0"
            },
            {
              "fixed": "0.22.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.23.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4s:http4s-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.23.0"
            },
            {
              "fixed": "0.23.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.22.4"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4s:http4s-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.22.0"
            },
            {
              "fixed": "0.22.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.23.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4s:http4s-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.23.0"
            },
            {
              "fixed": "0.23.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41084"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-21T16:10:13Z",
    "nvd_published_at": "2021-09-21T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nhttp4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields:\n\n* Header names (`Header.name`\u00e5\n* Header values (`Header.value`)\n* Status reason phrases (`Status.reason`)\n* URI paths (`Uri.Path`)\n* URI authority registered names (`URI.RegName`) (through 0.21)\n\nThe following backends render invalid carriage return, newline, or null characters in an unsafe fashion.\n\n|                | blaze-server | ember-server | blaze-client | ember-client | jetty-client |\n|:---------------|:-------------|:-------------|:-------------|--------------|--------------|\n| header names   | \u26a0            | \u26a0            | \u26a0            | \u26a0            |   \u26a0            | \n| header values  | \u26a0            | \u26a0            | \u26a0            | \u26a0            |              |\n| status reasons | \u26a0            | \u26a0            |              |              |              |\n| URI paths      |              |              |  \u26a0             |  \u26a0             |              |\n| URI regnames   |              |              |  \u26a0 \u003c 0.22           |  \u26a0 \u003c 0.22            |              |\n\nFor example, given the following service:\n\n```scala\nimport cats.effect._\nimport org.http4s._\nimport org.http4s.dsl.io._\nimport org.http4s.server.blaze.BlazeServerBuilder\nimport scala.concurrent.ExecutionContext.global\n\nobject ResponseSplit extends IOApp {\n  override def run(args: List[String]): IO[ExitCode] =\n    BlazeServerBuilder[IO](global)\n      .bindHttp(8080)\n      .withHttpApp(httpApp)\n      .resource\n      .use(_ =\u003e IO.never)\n\n  val httpApp: HttpApp[IO] =\n    HttpApp[IO] { req =\u003e\n      req.params.get(\"author\") match {\n        case Some(author) =\u003e\n          Ok(\"The real content\")\n            .map(_.putHeaders(Header(\"Set-Cookie\", s\"author=${author}\")))\n        case None =\u003e\n          BadRequest(\"No author parameter\")\n      }\n    }\n}\n```\n\nA clean `author` parameter returns a clean response:\n\n```sh\ncurl -i \u0027http://localhost:8080/?author=Ross\u0027\n```\n\n```http\nHTTP/1.1 200 OK\nContent-Type: text/plain; charset=UTF-8\nSet-Cookie: author=Ross\nDate: Mon, 20 Sep 2021 04:12:10 GMT\nContent-Length: 16\n\nThe real content\n```\n\nA malicious `author` parameter allows a user-agent to hijack the response from our server and return different content:\n\n```sh\ncurl -i \u0027http://localhost:8080/?author=hax0r%0d%0aContent-Length:+13%0d%0a%0aI+hacked+you\u0027\n```\n\n```http\nHTTP/1.1 200 OK\nContent-Type: text/plain; charset=UTF-8\nSet-Cookie: author=hax0r\nContent-Length: 13\n\nI hacked you\n```\n\n### Patches\n\nVersions 0.21.29, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following:\n\n* If a status reasoon phrase is invalid, it is dropped. Rendering is optional per spec.\n* If a header name is invalid in a request or response, the header is dropped.  There is no way to generically sanitize a header without potentially shadowing a correct one.\n* If a header value is invalid in a request or response, it is sanitized by replacing null (`\\u0000`), carriage return (`\\r`), and newline (`\\n`) with space (` `) characters per spec.\n* If a URI path or registered name is invalid in a request line, the client raises an `IllegalArgumentException`.\n* If a URI registered name is invalid in a host header, the client raises an `IllegalArgumentException`. \n\n### Workarounds\n\nhttp4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend.  The carriage return, newline, and null characters are the most threatening.\n\nNot all backends were affected: jetty-server, tomcat-server, armeria, and netty on the server; async-http-client, okhttp-client, armeria, and netty as clients.\n\n### References\n* https://owasp.org/www-community/attacks/HTTP_Response_Splitting\n* https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [GitHub](http://github.com/http4s/http4s)\n* Contact us via the [http4s security policy](https://github.com/http4s/http4s/security/policy)\n",
  "id": "GHSA-5vcm-3xc3-w7x3",
  "modified": "2022-10-25T20:24:37Z",
  "published": "2021-09-22T19:18:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41084"
    },
    {
      "type": "WEB",
      "url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/http4s/http4s"
    },
    {
      "type": "WEB",
      "url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Response Splitting from unsanitized headers"
}

GSD-2021-41084

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-41084

Aliases

CVE-2021-41084

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-41084",
    "description": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.",
    "id": "GSD-2021-41084"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-41084"
      ],
      "details": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.",
      "id": "GSD-2021-41084",
      "modified": "2023-12-13T01:23:26.890573Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-41084",
        "STATE": "PUBLIC",
        "TITLE": "Response Splitting from unsanitized headers in http4s"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "http4s",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c= 0.21.28"
                        },
                        {
                          "version_value": "\u003e= 0.22.0, \u003c 0.22.5"
                        },
                        {
                          "version_value": "\u003e= 0.23.0, \u003c 0.23.4"
                        },
                        {
                          "version_value": "\u003e= 1.0.0-M1, \u003c 1.0.0-M27"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "http4s"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-918: Server-Side Request Forgery (SSRF)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3",
            "refsource": "CONFIRM",
            "url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"
          },
          {
            "name": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8",
            "refsource": "MISC",
            "url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"
          },
          {
            "name": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values",
            "refsource": "MISC",
            "url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"
          },
          {
            "name": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting",
            "refsource": "MISC",
            "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-5vcm-3xc3-w7x3",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,0.21.28],[0.22.0,0.22.4],[0.23.0,0.23.3]",
          "affected_versions": "All versions up to 0.21.28, all versions starting from 0.22.0 up to 0.22.4, all versions starting from 0.23.0 up to 0.23.3",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-74",
            "CWE-78",
            "CWE-937"
          ],
          "date": "2021-10-21",
          "description": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.",
          "fixed_versions": [
            "0.21.29",
            "0.22.5",
            "0.23.4"
          ],
          "identifier": "CVE-2021-41084",
          "identifiers": [
            "GHSA-5vcm-3xc3-w7x3",
            "CVE-2021-41084"
          ],
          "not_impacted": "All versions after 0.21.28 before 0.22.0, all versions after 0.22.4 before 0.23.0, all versions after 0.23.3",
          "package_slug": "maven/org.http4s/http4s-client",
          "pubdate": "2021-09-22",
          "solution": "Upgrade to versions 0.21.29, 0.22.5, 0.23.4 or above.",
          "title": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
          "urls": [
            "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-41084",
            "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8",
            "https://github.com/advisories/GHSA-5vcm-3xc3-w7x3"
          ],
          "uuid": "645e8239-9111-47fd-97f7-566b74faadd4"
        },
        {
          "affected_range": "(,0.21.29),[0.22.0,0.22.5),[0.23.0,0.23.4),[1.0.0]",
          "affected_versions": "All versions before 0.21.29, all versions starting from 0.22.0 before 0.22.5, all versions starting from 0.23.0 before 0.23.4, version 1.0.0",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-74",
            "CWE-937"
          ],
          "date": "2022-10-25",
          "description": "http4s is an open source scala interface for HTTP. Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`).",
          "fixed_versions": [
            "0.21.29",
            "0.22.5",
            "0.23.4",
            "1.0-2-1e49ccf"
          ],
          "identifier": "CVE-2021-41084",
          "identifiers": [
            "CVE-2021-41084",
            "GHSA-5vcm-3xc3-w7x3"
          ],
          "not_impacted": "All versions starting from 0.21.29 before 0.22.0, all versions starting from 0.22.5 before 0.23.0, all versions starting from 0.23.4 before 1.0.0, all versions after 1.0.0",
          "package_slug": "maven/org.http4s/http4s-core_2.12",
          "pubdate": "2021-09-21",
          "solution": "Upgrade to versions 0.21.29, 0.22.5, 0.23.4, 1.0-2-1e49ccf or above.",
          "title": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-41084"
          ],
          "uuid": "2ebf0de0-a24a-4c5a-99f2-13bbe63dc3bc"
        },
        {
          "affected_range": "(,0.21.28],[0.22.0,0.22.4],[0.23.0,0.23.3]",
          "affected_versions": "All versions up to 0.21.28, all versions starting from 0.22.0 up to 0.22.4, all versions starting from 0.23.0 up to 0.23.3",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-74",
            "CWE-78",
            "CWE-937"
          ],
          "date": "2021-10-21",
          "description": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.",
          "fixed_versions": [
            "0.21.29",
            "0.22.5",
            "0.23.4"
          ],
          "identifier": "CVE-2021-41084",
          "identifiers": [
            "GHSA-5vcm-3xc3-w7x3",
            "CVE-2021-41084"
          ],
          "not_impacted": "All versions after 0.21.28 before 0.22.0, all versions after 0.22.4 before 0.23.0, all versions after 0.23.3",
          "package_slug": "maven/org.http4s/http4s-server",
          "pubdate": "2021-09-22",
          "solution": "Upgrade to versions 0.21.29, 0.22.5, 0.23.4 or above.",
          "title": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
          "urls": [
            "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-41084",
            "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8",
            "https://github.com/advisories/GHSA-5vcm-3xc3-w7x3"
          ],
          "uuid": "7785a85f-1bed-4929-abc6-324d23f3e73e"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.23.4",
                "versionStartIncluding": "0.23.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone23:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone24:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone25:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone26:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.21.29",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.22.5",
                "versionStartIncluding": "0.22.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41084"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-74"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"
            },
            {
              "name": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"
            },
            {
              "name": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"
            },
            {
              "name": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2022-10-25T14:56Z",
      "publishedDate": "2021-09-21T18:15Z"
    }
  }
}

FKIE_CVE-2021-41084

Vulnerability from fkie_nvd - Published: 2021-09-21 18:15 - Updated: 2024-11-21 06:25

Severity ?

8.7 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3	Exploit, Third Party Advisory
security-advisories@github.com	https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values	Vendor Advisory
security-advisories@github.com	https://owasp.org/www-community/attacks/HTTP_Response_Splitting	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://owasp.org/www-community/attacks/HTTP_Response_Splitting	Third Party Advisory

Impacted products

Vendor	Product	Version
typelevel	http4s	*
typelevel	http4s	*
typelevel	http4s	*
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0
typelevel	http4s	1.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0B6AFB9-30AE-4CB0-98E8-80E2066211CD",
              "versionEndExcluding": "0.21.29",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0D7EA70-14A9-4DB3-B96C-2FA713040D65",
              "versionEndExcluding": "0.22.5",
              "versionStartIncluding": "0.22.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A613C47-29E5-484C-AEBF-C3B5EB5ED3CF",
              "versionEndExcluding": "0.23.4",
              "versionStartIncluding": "0.23.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*",
              "matchCriteriaId": "65C497F9-281C-4565-BD36-B6B4D7E6F8BD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*",
              "matchCriteriaId": "6FCFC3E5-7530-4AAA-A2C7-36DC307B613B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*",
              "matchCriteriaId": "D03CBFE3-0B31-4D7C-BC5D-61DCD3C2C486",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*",
              "matchCriteriaId": "76F8BC53-544C-4285-8D9B-CB91AD080048",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*",
              "matchCriteriaId": "778947CA-20BA-469F-87E1-97D8713ACC75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*",
              "matchCriteriaId": "F5B02828-1E40-49BE-8367-10296625C696",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*",
              "matchCriteriaId": "A569F32F-3C8C-4F8F-B0BC-6ADC993596A9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*",
              "matchCriteriaId": "525DBF4B-F574-459D-9CE2-6AF597ABAE10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*",
              "matchCriteriaId": "FD05B15E-1E4F-43EA-B21A-3B96A77814D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*",
              "matchCriteriaId": "65C79F52-F05F-4F0A-AC27-393197B9EF00",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*",
              "matchCriteriaId": "A426B4C0-643A-492F-B7FB-725549F613F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*",
              "matchCriteriaId": "D95E231C-3D13-45FC-AF9A-CB8CF1FFC983",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*",
              "matchCriteriaId": "CF973F58-0AC7-4B58-A2CF-654133CE7F1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*",
              "matchCriteriaId": "35C40331-C96C-477C-B6BD-D5506E612DA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*",
              "matchCriteriaId": "615BC827-3E0F-4C1E-8FD2-B59FF31F2D49",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone23:*:*:*:*:*:*",
              "matchCriteriaId": "FDFB35FD-4D08-4895-B1B6-FC03BCB3EB22",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone24:*:*:*:*:*:*",
              "matchCriteriaId": "97F74D04-031E-47D4-BA57-DBE9C74CE256",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone25:*:*:*:*:*:*",
              "matchCriteriaId": "2FDC2E12-DE86-4A82-BD2F-C18F715CA673",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone26:*:*:*:*:*:*",
              "matchCriteriaId": "C1C18467-5FD0-4DCC-8B75-979C03BFF1C4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*",
              "matchCriteriaId": "DE093D65-1B3A-4A4A-BC76-05DEF9529712",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*",
              "matchCriteriaId": "DC3CA618-148D-4F97-9913-316DDDD97838",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*",
              "matchCriteriaId": "02FA538C-9D8A-49D5-8268-1A2C3E96B89B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*",
              "matchCriteriaId": "D18A3ABC-5C47-45BF-978C-5BB17787DCFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*",
              "matchCriteriaId": "1CE1CF51-E61A-418A-AB22-9D7A6D690BAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*",
              "matchCriteriaId": "29A70AAA-B77A-4291-A700-C910362DB8D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*",
              "matchCriteriaId": "9F8F3C38-57AB-4CBC-8959-7FF51CBA7907",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening."
    },
    {
      "lang": "es",
      "value": "http4s es una interfaz scala de c\u00f3digo abierto para HTTP. En las versiones afectadas, http4s es vulnerable a ataques de divisi\u00f3n de respuestas o de peticiones cuando entradas de usuario no confiables son usadas para crear cualquiera de los siguientes campos: Header names (\"Header.name\"), Header values (\"Header.value\"), Status reason phrases (\"Status.reason\"), URI paths (\"Uri.Path\"), URI authority registered names (\"URI.RegName\") (versiones hasta 0.21). Este problema ha sido resuelto en versiones 0.21.30, 0.22.5, 0.23.4 y 1.0.0-M27 llevan a cabo lo siguiente. Como cuesti\u00f3n de pr\u00e1ctica, los servicios http4s y las aplicaciones cliente deber\u00edan sanear cualquier entrada del usuario en los campos mencionados antes de devolver una petici\u00f3n o respuesta al backend. Los caracteres carriage return, newline y null son los m\u00e1s amenazantes"
    }
  ],
  "id": "CVE-2021-41084",
  "lastModified": "2024-11-21T06:25:25.353",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-09-21T18:15:07.427",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-41084 (GCVE-0-2021-41084)

GHSA-5VCM-3XC3-W7X3

Impact

Patches

Workarounds

References

For more information

GSD-2021-41084

FKIE_CVE-2021-41084

Tags

Sightings

Nomenclature