CVE-2023-22465

Published: Jan 4, 2023Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface.

Affected (40)

Products: Typelevel: Http4s

Typelevel

1 product

Http4s

Configuration A

40 vulnerable

Vulnerable Software	Affected Versions
Typelevel Http4s	From 0.1.0 to 0.21.34
Typelevel Http4s	From 0.22.0 to 0.22.15
Typelevel Http4s	From 0.23.0 to 0.23.17
Typelevel Http4s	Version 1.0.0 milestone10
Typelevel Http4s	Version 1.0.0 milestone11
Typelevel Http4s	Version 1.0.0 milestone12
Typelevel Http4s	Version 1.0.0 milestone13
Typelevel Http4s	Version 1.0.0 milestone14
Typelevel Http4s	Version 1.0.0 milestone15
Typelevel Http4s	Version 1.0.0 milestone16
Typelevel Http4s	Version 1.0.0 milestone17
Typelevel Http4s	Version 1.0.0 milestone18
Typelevel Http4s	Version 1.0.0 milestone19
Typelevel Http4s	Version 1.0.0 milestone1
Typelevel Http4s	Version 1.0.0 milestone20
Typelevel Http4s	Version 1.0.0 milestone21
Typelevel Http4s	Version 1.0.0 milestone22
Typelevel Http4s	Version 1.0.0 milestone23
Typelevel Http4s	Version 1.0.0 milestone24
Typelevel Http4s	Version 1.0.0 milestone25
Typelevel Http4s	Version 1.0.0 milestone26
Typelevel Http4s	Version 1.0.0 milestone27
Typelevel Http4s	Version 1.0.0 milestone28
Typelevel Http4s	Version 1.0.0 milestone29
Typelevel Http4s	Version 1.0.0 milestone2
Typelevel Http4s	Version 1.0.0 milestone30
Typelevel Http4s	Version 1.0.0 milestone31
Typelevel Http4s	Version 1.0.0 milestone32
Typelevel Http4s	Version 1.0.0 milestone33
Typelevel Http4s	Version 1.0.0 milestone34
Typelevel Http4s	Version 1.0.0 milestone35
Typelevel Http4s	Version 1.0.0 milestone36
Typelevel Http4s	Version 1.0.0 milestone37
Typelevel Http4s	Version 1.0.0 milestone3
Typelevel Http4s	Version 1.0.0 milestone4
Typelevel Http4s	Version 1.0.0 milestone5
Typelevel Http4s	Version 1.0.0 milestone6
Typelevel Http4s	Version 1.0.0 milestone7
Typelevel Http4s	Version 1.0.0 milestone8
Typelevel Http4s	Version 1.0.0 milestone9

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (2)

https://github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f

Source: security-advisories@github.com

ExploitMitigationThird Party Advisory

https://github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationThird Party Advisory

Timeline

No history available yet.