Lucene search

GoogleOSV:GHSA-54W6-VXFH-FW7F

HistoryJan 06, 2023 - 8:24 p.m.

Http4s improperly parses User-Agent and Server headers

2023-01-0620:24:36

Google

osv.dev

http4s

user-agent

server headers

parsers

vulnerability

http4s v0.21.x

http4s v0.22.x

http4s v0.23.x

http4s v1.x

fixes

patches

workarounds

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

31.8%

JSON

Impact

The User-Agent and Server header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers.

v0.21.x

val unsafe: Option[`User-Agent`] = req.headers.get(`User-Agent`)

v0.22.x, v0.23.x, v1.x

val unsafe: Option[`User-Agent`] = req.headers.get[`User-Agent`]
val alsoUnsafe: Option[`Server`] = req.headers.get[Server]

Patches

Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38.

Workarounds

Use the weakly typed header interface

v0.21.x

val safe: Option[Header] = req.headers.get("User-Agent".ci)
// but don't do this
val unsafe = header.map(_.parsed)

v0.22.x, v0.23.x, v1.x

val safe: Option[Header] = req.headers.get(ci"User-Agent")

References

github.com/http4s/http4s

github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f

nvd.nist.gov/vuln/detail/CVE-2023-22465

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

31.8%

JSON

Related for OSV:GHSA-54W6-VXFH-FW7F