CVE-2021-32643

Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs.

CVSS v3 5.8 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9	Patch Third Party Advisory
https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6	Patch Third Party Advisory
https://mvnrepository.com/artifact/org.http4s/http4s-core	Third Party Advisory
https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9	Patch Third Party Advisory
https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6	Patch Third Party Advisory
https://mvnrepository.com/artifact/org.http4s/http4s-core	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:typelevel:http4s::::::::
	cpe:2.3:a:typelevel:http4s:0.22.0:milestone1::::::
	cpe:2.3:a:typelevel:http4s:0.22.0:milestone2::::::
	cpe:2.3:a:typelevel:http4s:0.22.0:milestone3::::::
	cpe:2.3:a:typelevel:http4s:0.22.0:milestone4::::::
	cpe:2.3:a:typelevel:http4s:0.22.0:milestone5::::::
	cpe:2.3:a:typelevel:http4s:0.22.0:milestone6::::::
	cpe:2.3:a:typelevel:http4s:0.22.0:milestone7::::::
	cpe:2.3:a:typelevel:http4s:0.22.0:milestone8::::::
	cpe:2.3:a:typelevel:http4s:0.23.0:milestone1::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone1::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone10::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone11::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone12::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone13::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone14::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone15::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone16::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone17::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone18::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone19::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone2::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone20::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone21::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone22::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone3::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone4::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone5::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone6::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone7::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone8::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone9::::::

History

21 Nov 2024, 06:07

Type	Values Removed	Values Added
References	~~() https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9 - Patch, Third Party Advisory~~	() https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9 - Patch, Third Party Advisory
References	~~() https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6 - Patch, Third Party Advisory~~	() https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6 - Patch, Third Party Advisory
References	~~() https://mvnrepository.com/artifact/org.http4s/http4s-core - Third Party Advisory~~	() https://mvnrepository.com/artifact/org.http4s/http4s-core - Third Party Advisory

10 Jun 2021, 13:32

Type	Values Removed	Values Added
References	~~(MISC) https://mvnrepository.com/artifact/org.http4s/http4s-core -~~	(MISC) https://mvnrepository.com/artifact/org.http4s/http4s-core - Third Party Advisory
References	~~(CONFIRM) https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6 -~~	(CONFIRM) https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6 - Patch, Third Party Advisory
References	~~(MISC) https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9 -~~	(MISC) https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9 - Patch, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 5.0 v3 : 5.8
CWE		CWE-22
CPE		cpe:2.3:a:typelevel:http4s:0.23.0:milestone1:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:::::: cpe:2.3:a:typelevel:http4s:0.22.0:milestone1:::::: cpe:2.3:a:typelevel:http4s:0.22.0:milestone2:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:::::: cpe:2.3:a:typelevel:http4s:0.22.0:milestone5:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:::::: cpe:2.3:a:typelevel:http4s:0.22.0:milestone6:::::: cpe:2.3:a:typelevel:http4s:0.22.0:milestone7:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:::::: cpe:2.3:a:typelevel:http4s:0.22.0:milestone3:::::: cpe:2.3:a:typelevel:http4s:::::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:::::: cpe:2.3:a:typelevel:http4s:0.22.0:milestone8:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:::::: cpe:2.3:a:typelevel:http4s:0.22.0:milestone4:::::: cpe:2.3:a:typelevel:http4s:1.0.0:milestone3::::::

27 May 2021, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-05-27 18:15

Updated : 2024-11-21 06:07

NVD link : CVE-2021-32643

Mitre link : CVE-2021-32643

CVE.ORG link : CVE-2021-32643

JSON object : View

Products Affected

typelevel

http4s

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2021-32643", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2021-05-27T18:15:07.903", "references": [{"url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://mvnrepository.com/artifact/org.http4s/http4s-core", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://mvnrepository.com/artifact/org.http4s/http4s-core", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs."}, {"lang": "es", "value": "Http4s es una interfaz de Scala para servicios HTTP. el directorio \"StaticFile.fromUrl\" puede filtrar la presencia de un directorio en un servidor cuando el esquema \"URL\" no es \"file://\", y la URL apunta a un recurso recuperable bajo su esquema y autoridad. La funci\u00f3n devuelve \"F[None]\", indicando que no hay recurso, si \"url.getFile\" es un directorio, sin comprobar primero el esquema o la autoridad de la URL. Si una conexi\u00f3n URL al esquema y la URL devolvieran una secuencia, y la ruta en la URL se presenta como un directorio en el servidor, la presencia del directorio en el servidor podr\u00eda inferirse de la respuesta 404. No son expuestas los contenidos y otros metadatos sobre el directorio. Esto afecta a versiones de http4s: versiones 0.21.7 hasta 0.21.23, 0.22.0-M1 hasta 0.22.0-M8, 0.23.0-M1 y versiones 1.0.0-M1 hasta 1.0.0-M22. El [parche] (https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) est\u00e1 disponible en las siguientes versiones: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. Como soluci\u00f3n alternativa, los usuarios pueden evitar llamar a \"StaticFile.fromUrl\" con URL que no sean archivos"}], "lastModified": "2024-11-21T06:07:26.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A89F91C5-C023-499F-92E9-6ABD29906F05", "versionEndExcluding": "0.21.24", "versionStartIncluding": "0.21.7"}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F47AFA4-20AD-41C4-9693-D9BE51F61AD5"}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "277DD893-FCEC-494D-A25C-E4F1C0E2F30B"}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8CAEF1DF-8A14-4C6A-AF85-B66B07E53BCB"}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F4BFAA7-4295-4496-9883-410DAEEC2CE0"}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D2214A6-5A1F-4A89-9718-83D499D9A417"}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "176031C5-37CA-4303-9222-6A5D1BA5982F"}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F860AD98-AC2A-460C-A95A-DE044EE32AD2"}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "00D9D86C-BE0A-44FB-A242-6DF85C645591"}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.23.0:milestone1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C2A29EBD-8832-45AE-8686-B1058AAF9476"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "65C497F9-281C-4565-BD36-B6B4D7E6F8BD"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6FCFC3E5-7530-4AAA-A2C7-36DC307B613B"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D03CBFE3-0B31-4D7C-BC5D-61DCD3C2C486"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "76F8BC53-544C-4285-8D9B-CB91AD080048"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "778947CA-20BA-469F-87E1-97D8713ACC75"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5B02828-1E40-49BE-8367-10296625C696"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A569F32F-3C8C-4F8F-B0BC-6ADC993596A9"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "525DBF4B-F574-459D-9CE2-6AF597ABAE10"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FD05B15E-1E4F-43EA-B21A-3B96A77814D6"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "65C79F52-F05F-4F0A-AC27-393197B9EF00"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A426B4C0-643A-492F-B7FB-725549F613F6"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D95E231C-3D13-45FC-AF9A-CB8CF1FFC983"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF973F58-0AC7-4B58-A2CF-654133CE7F1A"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "35C40331-C96C-477C-B6BD-D5506E612DA8"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "615BC827-3E0F-4C1E-8FD2-B59FF31F2D49"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE093D65-1B3A-4A4A-BC76-05DEF9529712"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DC3CA618-148D-4F97-9913-316DDDD97838"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02FA538C-9D8A-49D5-8268-1A2C3E96B89B"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D18A3ABC-5C47-45BF-978C-5BB17787DCFA"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CE1CF51-E61A-418A-AB22-9D7A6D690BAA"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "29A70AAA-B77A-4291-A700-C910362DB8D4"}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9F8F3C38-57AB-4CBC-8959-7FF51CBA7907"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

5.8 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2021-32643

5.8^/10

5.0^/10

Attach tags to `CVE-2021-32643`