ch.epfl.scala:cmt-core_3 (>=2.0.21 <=2.0.22), ch.epfl.scala:cmta_3 (>=2.0.21 <=2.0.22) +86 more potentially affected by CVE-2021-39185 via org.http4s:http4s-server_3 (>=0.23.0 <=0.23.19)

org.http4s:http4s-server3 MAVEN version =0.23.0, =2.0.21, =2.0.21, =2.0.21, =0.1.0, =0.12.1, =1.1.1, =4.0.0, =4.0.0, =1.6.0, =2.0.0, =2.0.0, =2.0.0, =2.0.19 and more Source cves: CVE-2021-39185 Source advisory: OSV:GHSA-52CF-226F-RHR6...

com.akolov:doorman-core_2.12 (=0.0.5), com.akolov:doorman_2.12 (>=0.3.0 <=0.4.0) +150 more potentially affected by CVE-2021-39185 via org.http4s:http4s-server_2.12 (>=0.10.0-M10 <=0.21.26)

org.http4s:http4s-server2.12 MAVEN version =0.10.0-M10, =0.3.0, =0.18.3, =0.1.4, =0.1.4, =0.1.4, =0.1.4, =0.1.4, =0.1.4, =0.0.16, =0.0.13, =0.0.13, =0.0.13, =0.0.42 and more Source cves: CVE-2021-39185 Source advisory: OSV:GHSA-52CF-226F-RHR6...

ch.j3t:zio-prefetcher_2.12 (=0.8.0-RC6), com.codacy:kamon-http4s-0.23_2.12 (>=0.0.1 <=0.1.2) +54 more potentially affected by CVE-2021-39185 via org.http4s:http4s-server_2.12 (>=0.23.0 <=0.23.19)

org.http4s:http4s-server2.12 MAVEN version =0.23.0, =0.0.1, =0.12.1, =0.2.0, =0.20.2, =1.1.1, =1.2.0, =1.2.0, =1.2.0, =3.3.2, =3.3.2, =0.1.0, =1.0.0, =1.5.4 and more Source cves: CVE-2021-39185 Source advisory: OSV:GHSA-52CF-226F-RHR6...

com.akolov:doorman_2.13 (>=0.2.0 <=0.4.0), com.avast.grpc:grpc-json-bridge-http4s_2.13 (>=0.18.3 <=0.18.7) +120 more potentially affected by CVE-2021-39185 via org.http4s:http4s-server_2.13 (>=0.10.0-M10 <=0.21.26)

org.http4s:http4s-server2.13 MAVEN version =0.10.0-M10, =0.2.0, =0.18.3, =0.1.21, =0.1.21, =0.1.21, =0.1.21, =0.1.21, =0.1.21, =0.0.7, =0.0.7, =0.5-18-6fc7190, =0.0.38, =0.0.38, =0.0.38, =0.0.38, =0.0.42 and more Source cves: CVE-2021-39185 Source advisory: OSV:GHSA-52CF-226F-RHR6...

com.avast.grpc:grpc-json-bridge-http4s_2.13 (>=0.18.8 <=0.19.0), com.avast:sst-app-monix_2.13 (>=0.17.0 <=0.19.3) +51 more potentially affected by CVE-2021-39185 via org.http4s:http4s-server_2.13 (>=0.22.0 <=0.22.2)

org.http4s:http4s-server2.13 MAVEN version =0.22.0, =0.18.8, =0.17.0, =0.17.0, =0.12.0, =0.17.0, =0.12.0, =0.17.0, =0.12.0, =0.12.0, =0.17.0, =0.17.0, =0.12.0, =0.12.0, =0.5-2-4dad691, =0.12.0, =0.16.1 and more Source cves: CVE-2021-39185 Source advisory: OSV:GHSA-52CF-226F-RHR6...

ch.j3t:zio-prefetcher_2.13 (=0.8.0-RC6), com.47deg:energy-monitor-persistence-app_2.13 (=0.2.0) +98 more potentially affected by CVE-2021-39185 via org.http4s:http4s-server_2.13 (>=0.23.0 <=0.23.19)

org.http4s:http4s-server2.13 MAVEN version =0.23.0, =0.0.1, =0.12.1, =0.2.0, =0.1.0, =0.20.2, =1.1.1, =0.0.1, =1.2.2, =1.2.2, =1.2.2, =1.4.10 and more Source cves: CVE-2021-39185 Source advisory: OSV:GHSA-52CF-226F-RHR6...

io.github.jmcardon:tsec-http4s_2.13.0-M5 (>=0.1.0 <=0.1.0-M4), org.http4s:http4s-blaze-server_2.13.0-M5 (>=0.20.0 <=0.20.10) +3 more potentially affected by CVE-2021-39185 via org.http4s:http4s-server_2.13.0-M5 (>=0.20.0-RC1 <=0.20.10)

org.http4s:http4s-server2.13.0-M5 MAVEN version =0.20.0-RC1, =0.1.0, =0.20.0, =0.20.0, =0.20.0, =0.20.0, =0.20.10 Source cves: CVE-2021-39185 Source advisory: OSV:GHSA-52CF-226F-RHR6...

CVE-2021-39185

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null...

CVE-2021-39185

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null...

Design/Logic Flaw

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null...

CVE-2021-39185

Http4s is affected by a vulnerability in the default CORS configuration that enables origin reflection and a Null Origin Attack for versions 0.21.26 and prior, 0.22.0–0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24. The issue stems from the default CORS settings allowing credentialed acces...

CVE-2021-39185 Default CORS config allows any origin with credentials

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null...

Http4s访问控制错误漏洞

http4s is an open source streaming HTTP server for Scala. An access control error vulnerability exists in Http4s that stems from the default CORS configuration being vulnerable to source reflection attacks. The following products and versions are affected: 0.21.26 and earlier, 0.22.0 through...

GHSA-6H7W-FC84-X7P6 StaticFile.fromUrl can leak presence of a directory

Impact StaticFile.fromUrl can leak the presence of a directory on a server when the URL scheme is not file://, and the URL points to a fetchable resource under its scheme and authority. The function returns FNone, indicating no resource, if url.getFile is a directory, without first checking the...

StaticFile.fromUrl can leak presence of a directory

Impact StaticFile.fromUrl can leak the presence of a directory on a server when the URL scheme is not file://, and the URL points to a fetchable resource under its scheme and authority. The function returns FNone, indicating no resource, if url.getFile is a directory, without first checking the...

Http4s path traversal vulnerability (CNVD-2021-44963)

Http4s is an open source for Scala streaming HTTP server . Http4s has a path traversal vulnerability that can be exploited by an attacker to obtain sensitive information...

CVE-2021-32643

Http4s is a Scala interface for HTTP services. StaticFile.fromUrl can leak the presence of a directory on a server when the URL scheme is not file://, and the URL points to a fetchable resource under its scheme and authority. The function returns FNone, indicating no resource, if url.getFile is a...

CVE-2021-32643

Http4s is a Scala interface for HTTP services. StaticFile.fromUrl can leak the presence of a directory on a server when the URL scheme is not file://, and the URL points to a fetchable resource under its scheme and authority. The function returns FNone, indicating no resource, if url.getFile is a...

Design/Logic Flaw

Http4s is a Scala interface for HTTP services. StaticFile.fromUrl can leak the presence of a directory on a server when the URL scheme is not file://, and the URL points to a fetchable resource under its scheme and authority. The function returns FNone, indicating no resource, if url.getFile is a...

CVE-2021-32643

The CVE-2021-32643 issue affects http4s (Scala HTTP services) where StaticFile.fromUrl can reveal the existence of a server directory when the URL scheme is not file://. If url.getFile is a directory, a non-file URL could yield a 404 that leaks directory presence, without exposing contents or met...