← Back

CVE-2021-41084

nvd nist
Published: Sep 21, 2021Modified: Nov 21, 2024

JSON object

Loading...
4.7
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Exploitability: 2.8 / Impact: 1.4
Source: NVD

Description

http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`å), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.

Affected (29)

Products: Typelevel: Http4s
Typelevel
1 product
Http4s
Configuration A
29 vulnerable
Vulnerable SoftwareAffected Versions
Typelevel
Http4s
Before 0.21.29
Http4s
From 0.22.0 to 0.22.5
Http4s
From 0.23.0 to 0.23.4
Http4s
Version 1.0.0 milestone10
Http4s
Version 1.0.0 milestone11
Http4s
Version 1.0.0 milestone12
Http4s
Version 1.0.0 milestone13
Http4s
Version 1.0.0 milestone14
Http4s
Version 1.0.0 milestone15
Http4s
Version 1.0.0 milestone16
Http4s
Version 1.0.0 milestone17
Http4s
Version 1.0.0 milestone18
Http4s
Version 1.0.0 milestone19
Http4s
Version 1.0.0 milestone1
Http4s
Version 1.0.0 milestone20
Http4s
Version 1.0.0 milestone21
Http4s
Version 1.0.0 milestone22
Http4s
Version 1.0.0 milestone23
Http4s
Version 1.0.0 milestone24
Http4s
Version 1.0.0 milestone25
Http4s
Version 1.0.0 milestone26
Http4s
Version 1.0.0 milestone2
Http4s
Version 1.0.0 milestone3
Http4s
Version 1.0.0 milestone4
Http4s
Version 1.0.0 milestone5
Http4s
Version 1.0.0 milestone6
Http4s
Version 1.0.0 milestone7
Http4s
Version 1.0.0 milestone8
Http4s
Version 1.0.0 milestone9

Related CWEs

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (8)

Source: security-advisories@github.com
PatchThird Party Advisory
Source: security-advisories@github.com
ExploitThird Party Advisory
Source: security-advisories@github.com
Vendor Advisory
Source: security-advisories@github.com
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.