Design/Logic Flaw

2020-03-2518:15:00

PRIOn knowledge base

www.prio-n.com

7.2 High

AI Score

Confidence

High

0.049 Low

EPSS

Percentile

92.8%

JSON

http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain …/ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported.

CPENameOperatorVersion
http4sge0.21.0
http4slt0.21.2
http4sge0.19.0
http4slt0.20.20
http4slt0.18.26

Name	Operator	Version
http4s	ge	0.21.0
http4s	lt	0.21.2
http4s	ge	0.19.0
http4s	lt	0.20.20
http4s	lt	0.18.26

References

github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec

github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca

github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b

github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6