FKIE_CVE-2021-32643

Vulnerability from fkie_nvd - Published: 2021-05-27 18:15 - Updated: 2024-11-21 06:07
Severity ?
5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Summary
Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs.
References
security-advisories@github.comhttps://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9Patch, Third Party Advisory
security-advisories@github.comhttps://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6Patch, Third Party Advisory
security-advisories@github.comhttps://mvnrepository.com/artifact/org.http4s/http4s-coreThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://mvnrepository.com/artifact/org.http4s/http4s-coreThird Party Advisory
Impacted products
Vendor Product Version
typelevel http4s *
typelevel http4s 0.22.0
typelevel http4s 0.22.0
typelevel http4s 0.22.0
typelevel http4s 0.22.0
typelevel http4s 0.22.0
typelevel http4s 0.22.0
typelevel http4s 0.22.0
typelevel http4s 0.22.0
typelevel http4s 0.23.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A89F91C5-C023-499F-92E9-6ABD29906F05",
              "versionEndExcluding": "0.21.24",
              "versionStartIncluding": "0.21.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone1:*:*:*:*:*:*",
              "matchCriteriaId": "3F47AFA4-20AD-41C4-9693-D9BE51F61AD5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone2:*:*:*:*:*:*",
              "matchCriteriaId": "277DD893-FCEC-494D-A25C-E4F1C0E2F30B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone3:*:*:*:*:*:*",
              "matchCriteriaId": "8CAEF1DF-8A14-4C6A-AF85-B66B07E53BCB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone4:*:*:*:*:*:*",
              "matchCriteriaId": "5F4BFAA7-4295-4496-9883-410DAEEC2CE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone5:*:*:*:*:*:*",
              "matchCriteriaId": "5D2214A6-5A1F-4A89-9718-83D499D9A417",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone6:*:*:*:*:*:*",
              "matchCriteriaId": "176031C5-37CA-4303-9222-6A5D1BA5982F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone7:*:*:*:*:*:*",
              "matchCriteriaId": "F860AD98-AC2A-460C-A95A-DE044EE32AD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone8:*:*:*:*:*:*",
              "matchCriteriaId": "00D9D86C-BE0A-44FB-A242-6DF85C645591",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:0.23.0:milestone1:*:*:*:*:*:*",
              "matchCriteriaId": "C2A29EBD-8832-45AE-8686-B1058AAF9476",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*",
              "matchCriteriaId": "65C497F9-281C-4565-BD36-B6B4D7E6F8BD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*",
              "matchCriteriaId": "6FCFC3E5-7530-4AAA-A2C7-36DC307B613B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*",
              "matchCriteriaId": "D03CBFE3-0B31-4D7C-BC5D-61DCD3C2C486",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*",
              "matchCriteriaId": "76F8BC53-544C-4285-8D9B-CB91AD080048",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*",
              "matchCriteriaId": "778947CA-20BA-469F-87E1-97D8713ACC75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*",
              "matchCriteriaId": "F5B02828-1E40-49BE-8367-10296625C696",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*",
              "matchCriteriaId": "A569F32F-3C8C-4F8F-B0BC-6ADC993596A9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*",
              "matchCriteriaId": "525DBF4B-F574-459D-9CE2-6AF597ABAE10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*",
              "matchCriteriaId": "FD05B15E-1E4F-43EA-B21A-3B96A77814D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*",
              "matchCriteriaId": "65C79F52-F05F-4F0A-AC27-393197B9EF00",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*",
              "matchCriteriaId": "A426B4C0-643A-492F-B7FB-725549F613F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*",
              "matchCriteriaId": "D95E231C-3D13-45FC-AF9A-CB8CF1FFC983",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*",
              "matchCriteriaId": "CF973F58-0AC7-4B58-A2CF-654133CE7F1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*",
              "matchCriteriaId": "35C40331-C96C-477C-B6BD-D5506E612DA8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*",
              "matchCriteriaId": "615BC827-3E0F-4C1E-8FD2-B59FF31F2D49",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*",
              "matchCriteriaId": "DE093D65-1B3A-4A4A-BC76-05DEF9529712",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*",
              "matchCriteriaId": "DC3CA618-148D-4F97-9913-316DDDD97838",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*",
              "matchCriteriaId": "02FA538C-9D8A-49D5-8268-1A2C3E96B89B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*",
              "matchCriteriaId": "D18A3ABC-5C47-45BF-978C-5BB17787DCFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*",
              "matchCriteriaId": "1CE1CF51-E61A-418A-AB22-9D7A6D690BAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*",
              "matchCriteriaId": "29A70AAA-B77A-4291-A700-C910362DB8D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*",
              "matchCriteriaId": "9F8F3C38-57AB-4CBC-8959-7FF51CBA7907",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs."
    },
    {
      "lang": "es",
      "value": "Http4s es una interfaz de Scala para servicios HTTP.\u0026#xa0;el directorio \"StaticFile.fromUrl\" puede filtrar la presencia de un directorio en un servidor cuando el esquema \"URL\" no es \"file://\", y la URL apunta a un recurso recuperable bajo su esquema y autoridad.\u0026#xa0;La funci\u00f3n devuelve \"F[None]\", indicando que no hay recurso, si \"url.getFile\" es un directorio, sin comprobar primero el esquema o la autoridad de la URL.\u0026#xa0;Si una conexi\u00f3n URL al esquema y la URL devolvieran una secuencia, y la ruta en la URL se presenta como un directorio en el servidor, la presencia del directorio en el servidor podr\u00eda inferirse de la respuesta 404.\u0026#xa0;No son expuestas los contenidos y otros metadatos sobre el directorio.\u0026#xa0;Esto afecta a versiones de http4s: versiones 0.21.7 hasta 0.21.23, 0.22.0-M1 hasta 0.22.0-M8, 0.23.0-M1 y versiones 1.0.0-M1 hasta 1.0.0-M22.\u0026#xa0;El [parche] (https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) est\u00e1 disponible en las siguientes versiones: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23.\u0026#xa0;Como soluci\u00f3n alternativa, los usuarios pueden evitar llamar a \"StaticFile.fromUrl\" con URL que no sean archivos"
    }
  ],
  "id": "CVE-2021-32643",
  "lastModified": "2024-11-21T06:07:26.607",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-05-27T18:15:07.903",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.