CVE-2020-5280 - OpenCVE

http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Typelevel	Http4s

Configuration 1 [-]

OR	cpe:2.3:a:typelevel:http4s::::::::
	cpe:2.3:a:typelevel:http4s::::::::
	cpe:2.3:a:typelevel:http4s::::::::

No data.

References

Link	Providers
https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec
https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca
https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b
https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-03-25T17:45:17

Updated: 2024-08-04T08:22:09.104Z

Reserved: 2020-01-02T00:00:00

Link: CVE-2020-5280

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-03-25T18:15:14.237

Modified: 2020-03-30T17:48:39.947

Link: CVE-2020-5280

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "http4s", "vendor": "http4s", "versions": [{"status": "affected", "version": "< 0.18.26"}, {"status": "affected", "version": ">= 0.19.0, < 0.20.20"}, {"status": "affected", "version": ">= 0.21.0, < 0.21.2"}]}], "descriptions": [{"lang": "en", "value": "http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-25T17:45:17", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b"}], "source": {"advisory": "GHSA-66q9-f7ff-mmx6", "discovery": "UNKNOWN"}, "title": "Local file inclusion vulnerability in http4s", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5280", "STATE": "PUBLIC", "TITLE": "Local file inclusion vulnerability in http4s"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "http4s", "version": {"version_data": [{"version_value": "< 0.18.26"}, {"version_value": ">= 0.19.0, < 0.20.20"}, {"version_value": ">= 0.21.0, < 0.21.2"}]}}]}, "vendor_name": "http4s"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-23: Relative Path Traversal"}]}]}, "references": {"reference_data": [{"name": "https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6", "refsource": "CONFIRM", "url": "https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6"}, {"name": "https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec", "refsource": "MISC", "url": "https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec"}, {"name": "https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca", "refsource": "MISC", "url": "https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca"}, {"name": "https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b", "refsource": "MISC", "url": "https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b"}]}, "source": {"advisory": "GHSA-66q9-f7ff-mmx6", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:09.104Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5280", "datePublished": "2020-03-25T17:45:17", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2024-08-04T08:22:09.104Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8F27ABA-D902-4EFB-AA8A-1C1A3637517A", "versionEndExcluding": "0.18.26", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B72AEE1-950A-4AB8-9620-A9E4DE39ACEB", "versionEndExcluding": "0.20.20", "versionStartIncluding": "0.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*", "matchCriteriaId": "15358AD5-7CD3-4EC2-B986-6115420D15D8", "versionEndExcluding": "0.21.2", "versionStartIncluding": "0.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported."}, {"lang": "es", "value": "http4s versiones anteriores a 0.18.26, 0.20.20 y 0.21.2, presenta una vulnerabilidad de inclusi\u00f3n de archivos local. Esta vulnerabilidad se aplica a todos los usuarios de org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService y org.http4s.server.staticcontent.WebjarService. La normalizaci\u00f3n de URI es aplicada incorrectamente. Las peticiones cuya informaci\u00f3n de ruta contiene ../ o // pueden exponer recursos fuera de la ubicaci\u00f3n configurada. Este problema est\u00e1 parcheado en las versiones 0.18.26, 0.20.20 y 0.21.2. Tome en cuenta que la versi\u00f3n 0.19.0 es una versi\u00f3n en desuso y nunca ha sido compatible."}], "id": "CVE-2020-5280", "lastModified": "2020-03-30T17:48:39.947", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-03-25T18:15:14.237", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-23"}], "source": "security-advisories@github.com", "type": "Secondary"}]}