Lucene search

GitHub_MCVELIST:CVE-2020-5280

HistoryMar 25, 2020 - 5:45 p.m.

CVE-2020-5280 Local file inclusion vulnerability in http4s

2020-03-2517:45:17

CWE-23

GitHub_M

www.cve.org

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

7.2 High

AI Score

Confidence

High

0.049 Low

EPSS

Percentile

92.8%

JSON

http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain …/ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported.

CNA Affected

[
  {
    "product": "http4s",
    "vendor": "http4s",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.18.26"
      },
      {
        "status": "affected",
        "version": ">= 0.19.0, < 0.20.20"
      },
      {
        "status": "affected",
        "version": ">= 0.21.0, < 0.21.2"
      }
    ]
  }
]

References

github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec

github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca

github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b

github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6