{"containers": {"cna": {"affected": [{"product": "http4s", "vendor": "http4s", "versions": [{"status": "affected", "version": ">= 0.21.7, < 0.21.24"}, {"status": "affected", "version": ">= 0.22.0-M1, <= 0.22.0-M8"}, {"status": "affected", "version": "= 0.23.0-M1"}, {"status": "affected", "version": ">= 1.0.0-M1, < 1.0.0-M23"}]}], "descriptions": [{"lang": "en", "value": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-27T17:15:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"}, {"tags": ["x_refsource_MISC"], "url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"}], "source": {"advisory": "GHSA-6h7w-fc84-x7p6", "discovery": "UNKNOWN"}, "title": "StaticFile.fromUrl can leak presence of a directory", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32643", "STATE": "PUBLIC", "TITLE": "StaticFile.fromUrl can leak presence of a directory"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "http4s", "version": {"version_data": [{"version_value": ">= 0.21.7, < 0.21.24"}, {"version_value": ">= 0.22.0-M1, <= 0.22.0-M8"}, {"version_value": "= 0.23.0-M1"}, {"version_value": ">= 1.0.0-M1, < 1.0.0-M23"}]}}]}, "vendor_name": "http4s"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6", "refsource": "CONFIRM", "url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"}, {"name": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9", "refsource": "MISC", "url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"}, {"name": "https://mvnrepository.com/artifact/org.http4s/http4s-core", "refsource": "MISC", "url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"}]}, "source": {"advisory": "GHSA-6h7w-fc84-x7p6", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:25:30.936Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32643", "datePublished": "2021-05-27T17:15:11", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:25:30.936Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*", "matchCriteriaId": "A89F91C5-C023-499F-92E9-6ABD29906F05", "versionEndExcluding": "0.21.24", "versionStartIncluding": "0.21.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "3F47AFA4-20AD-41C4-9693-D9BE51F61AD5", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "277DD893-FCEC-494D-A25C-E4F1C0E2F30B", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "8CAEF1DF-8A14-4C6A-AF85-B66B07E53BCB", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone4:*:*:*:*:*:*", "matchCriteriaId": "5F4BFAA7-4295-4496-9883-410DAEEC2CE0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone5:*:*:*:*:*:*", "matchCriteriaId": "5D2214A6-5A1F-4A89-9718-83D499D9A417", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone6:*:*:*:*:*:*", "matchCriteriaId": "176031C5-37CA-4303-9222-6A5D1BA5982F", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone7:*:*:*:*:*:*", "matchCriteriaId": "F860AD98-AC2A-460C-A95A-DE044EE32AD2", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.22.0:milestone8:*:*:*:*:*:*", "matchCriteriaId": "00D9D86C-BE0A-44FB-A242-6DF85C645591", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:0.23.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "C2A29EBD-8832-45AE-8686-B1058AAF9476", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "65C497F9-281C-4565-BD36-B6B4D7E6F8BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*", "matchCriteriaId": "6FCFC3E5-7530-4AAA-A2C7-36DC307B613B", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*", "matchCriteriaId": "D03CBFE3-0B31-4D7C-BC5D-61DCD3C2C486", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*", "matchCriteriaId": "76F8BC53-544C-4285-8D9B-CB91AD080048", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*", "matchCriteriaId": "778947CA-20BA-469F-87E1-97D8713ACC75", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*", "matchCriteriaId": "F5B02828-1E40-49BE-8367-10296625C696", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*", "matchCriteriaId": "A569F32F-3C8C-4F8F-B0BC-6ADC993596A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*", "matchCriteriaId": "525DBF4B-F574-459D-9CE2-6AF597ABAE10", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*", "matchCriteriaId": "FD05B15E-1E4F-43EA-B21A-3B96A77814D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*", "matchCriteriaId": "65C79F52-F05F-4F0A-AC27-393197B9EF00", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*", "matchCriteriaId": "A426B4C0-643A-492F-B7FB-725549F613F6", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "D95E231C-3D13-45FC-AF9A-CB8CF1FFC983", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*", "matchCriteriaId": "CF973F58-0AC7-4B58-A2CF-654133CE7F1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*", "matchCriteriaId": "35C40331-C96C-477C-B6BD-D5506E612DA8", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*", "matchCriteriaId": "615BC827-3E0F-4C1E-8FD2-B59FF31F2D49", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "DE093D65-1B3A-4A4A-BC76-05DEF9529712", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*", "matchCriteriaId": "DC3CA618-148D-4F97-9913-316DDDD97838", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*", "matchCriteriaId": "02FA538C-9D8A-49D5-8268-1A2C3E96B89B", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*", "matchCriteriaId": "D18A3ABC-5C47-45BF-978C-5BB17787DCFA", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*", "matchCriteriaId": "1CE1CF51-E61A-418A-AB22-9D7A6D690BAA", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*", "matchCriteriaId": "29A70AAA-B77A-4291-A700-C910362DB8D4", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*", "matchCriteriaId": "9F8F3C38-57AB-4CBC-8959-7FF51CBA7907", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs."}, {"lang": "es", "value": "Http4s es una interfaz de Scala para servicios HTTP.&#xa0;el directorio \"StaticFile.fromUrl\" puede filtrar la presencia de un directorio en un servidor cuando el esquema \"URL\" no es \"file://\", y la URL apunta a un recurso recuperable bajo su esquema y autoridad.&#xa0;La funci\u00f3n devuelve \"F[None]\", indicando que no hay recurso, si \"url.getFile\" es un directorio, sin comprobar primero el esquema o la autoridad de la URL.&#xa0;Si una conexi\u00f3n URL al esquema y la URL devolvieran una secuencia, y la ruta en la URL se presenta como un directorio en el servidor, la presencia del directorio en el servidor podr\u00eda inferirse de la respuesta 404.&#xa0;No son expuestas los contenidos y otros metadatos sobre el directorio.&#xa0;Esto afecta a versiones de http4s: versiones 0.21.7 hasta 0.21.23, 0.22.0-M1 hasta 0.22.0-M8, 0.23.0-M1 y versiones 1.0.0-M1 hasta 1.0.0-M22.&#xa0;El [parche] (https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) est\u00e1 disponible en las siguientes versiones: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23.&#xa0;Como soluci\u00f3n alternativa, los usuarios pueden evitar llamar a \"StaticFile.fromUrl\" con URL que no sean archivos"}], "id": "CVE-2021-32643", "lastModified": "2021-06-10T13:32:27.147", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-05-27T18:15:07.903", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}