149 matches found
GHSA-8HXH-R6F7-JF45 Memory exhaustion in http4s-async-http-client with large or malicious compressed responses
Impact A server we connect to with http4s-async-http-client could theoretically respond with a large or malicious compressed stream and exhaust memory in the client JVM. It does not affect http4s servers, other client backends, or clients that speak only to trusted servers. This is related to a...
CVE-2020-5280
http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalizatio...
CVE-2020-5280
http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalizatio...
Design/Logic Flaw
http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalizatio...
CVE-2020-5280
CVE-2020-5280 affects http4s prior to versions 0.18.26, 0.20.20, and 0.21.2. The local file inclusion arises from incorrect URI normalization in FileService, ResourceService, and WebjarService, allowing path segments like ../ or // to access resources outside the configured location. Patches exis...
CVE-2020-5280 Local file inclusion vulnerability in http4s
http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalizatio...
com.akolov:doorman-core_2.12 (=0.0.5), com.avast:scala-server-toolkit-http4s-blaze-server_2.12 (=0.1.3) +55 more potentially affected by CVE-2020-5280 via org.http4s:http4s-server_2.12 (>=0.19.0 <=0.20.2)
org.http4s:http4s-server2.12 MAVEN version =0.19.0, =0.1.4, =0.1.4, =0.1.4, =0.1.4, =0.1.4, =0.1.4, =0.0.16, =0.0.13, =0.0.13, =0.0.13, =0.0.13, =0.17.0, =0.18.1 - com.github.allantl:atlassian-connect-http4s2.12 =0.0.1 and more Source cves: CVE-2020-5280 Source advisory: OSV:GHSA-66Q9-F7FF-MMX6...
Local file inclusion vulnerability in http4s
Impact This vulnerability applies to all users of: org.http4s.server.staticcontent.FileService org.http4s.server.staticcontent.ResourceService org.http4s.server.staticcontent.WebjarService Path escaping URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expos...
GHSA-66Q9-F7FF-MMX6 Local file inclusion vulnerability in http4s
Impact This vulnerability applies to all users of: org.http4s.server.staticcontent.FileService org.http4s.server.staticcontent.ResourceService org.http4s.server.staticcontent.WebjarService Path escaping URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expos...