{"containers": {"cna": {"affected": [{"product": "http4s", "vendor": "http4s", "versions": [{"status": "affected", "version": "<= 0.21.28"}, {"status": "affected", "version": ">= 0.22.0, < 0.22.5"}, {"status": "affected", "version": ">= 0.23.0, < 0.23.4"}, {"status": "affected", "version": ">= 1.0.0-M1, < 1.0.0-M27"}]}], "descriptions": [{"lang": "en", "value": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-21T17:20:14", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"}, {"tags": ["x_refsource_MISC"], "url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"}, {"tags": ["x_refsource_MISC"], "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"}], "source": {"advisory": "GHSA-5vcm-3xc3-w7x3", "discovery": "UNKNOWN"}, "title": "Response Splitting from unsanitized headers in http4s", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41084", "STATE": "PUBLIC", "TITLE": "Response Splitting from unsanitized headers in http4s"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "http4s", "version": {"version_data": [{"version_value": "<= 0.21.28"}, {"version_value": ">= 0.22.0, < 0.22.5"}, {"version_value": ">= 0.23.0, < 0.23.4"}, {"version_value": ">= 1.0.0-M1, < 1.0.0-M27"}]}}]}, "vendor_name": "http4s"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-918: Server-Side Request Forgery (SSRF)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3", "refsource": "CONFIRM", "url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"}, {"name": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8", "refsource": "MISC", "url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"}, {"name": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values", "refsource": "MISC", "url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"}, {"name": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting", "refsource": "MISC", "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"}]}, "source": {"advisory": "GHSA-5vcm-3xc3-w7x3", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:59:31.504Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41084", "datePublished": "2021-09-21T17:20:14", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T02:59:31.504Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0B6AFB9-30AE-4CB0-98E8-80E2066211CD", "versionEndExcluding": "0.21.29", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0D7EA70-14A9-4DB3-B96C-2FA713040D65", "versionEndExcluding": "0.22.5", "versionStartIncluding": "0.22.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A613C47-29E5-484C-AEBF-C3B5EB5ED3CF", "versionEndExcluding": "0.23.4", "versionStartIncluding": "0.23.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "65C497F9-281C-4565-BD36-B6B4D7E6F8BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*", "matchCriteriaId": "6FCFC3E5-7530-4AAA-A2C7-36DC307B613B", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*", "matchCriteriaId": "D03CBFE3-0B31-4D7C-BC5D-61DCD3C2C486", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*", "matchCriteriaId": "76F8BC53-544C-4285-8D9B-CB91AD080048", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*", "matchCriteriaId": "778947CA-20BA-469F-87E1-97D8713ACC75", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*", "matchCriteriaId": "F5B02828-1E40-49BE-8367-10296625C696", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*", "matchCriteriaId": "A569F32F-3C8C-4F8F-B0BC-6ADC993596A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*", "matchCriteriaId": "525DBF4B-F574-459D-9CE2-6AF597ABAE10", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*", "matchCriteriaId": "FD05B15E-1E4F-43EA-B21A-3B96A77814D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*", "matchCriteriaId": "65C79F52-F05F-4F0A-AC27-393197B9EF00", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*", "matchCriteriaId": "A426B4C0-643A-492F-B7FB-725549F613F6", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "D95E231C-3D13-45FC-AF9A-CB8CF1FFC983", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*", "matchCriteriaId": "CF973F58-0AC7-4B58-A2CF-654133CE7F1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*", "matchCriteriaId": "35C40331-C96C-477C-B6BD-D5506E612DA8", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*", "matchCriteriaId": "615BC827-3E0F-4C1E-8FD2-B59FF31F2D49", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone23:*:*:*:*:*:*", "matchCriteriaId": "FDFB35FD-4D08-4895-B1B6-FC03BCB3EB22", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone24:*:*:*:*:*:*", "matchCriteriaId": "97F74D04-031E-47D4-BA57-DBE9C74CE256", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone25:*:*:*:*:*:*", "matchCriteriaId": "2FDC2E12-DE86-4A82-BD2F-C18F715CA673", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone26:*:*:*:*:*:*", "matchCriteriaId": "C1C18467-5FD0-4DCC-8B75-979C03BFF1C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "DE093D65-1B3A-4A4A-BC76-05DEF9529712", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*", "matchCriteriaId": "DC3CA618-148D-4F97-9913-316DDDD97838", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*", "matchCriteriaId": "02FA538C-9D8A-49D5-8268-1A2C3E96B89B", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*", "matchCriteriaId": "D18A3ABC-5C47-45BF-978C-5BB17787DCFA", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*", "matchCriteriaId": "1CE1CF51-E61A-418A-AB22-9D7A6D690BAA", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*", "matchCriteriaId": "29A70AAA-B77A-4291-A700-C910362DB8D4", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*", "matchCriteriaId": "9F8F3C38-57AB-4CBC-8959-7FF51CBA7907", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening."}, {"lang": "es", "value": "http4s es una interfaz scala de c\u00f3digo abierto para HTTP. En las versiones afectadas, http4s es vulnerable a ataques de divisi\u00f3n de respuestas o de peticiones cuando entradas de usuario no confiables son usadas para crear cualquiera de los siguientes campos: Header names (\"Header.name\"), Header values (\"Header.value\"), Status reason phrases (\"Status.reason\"), URI paths (\"Uri.Path\"), URI authority registered names (\"URI.RegName\") (versiones hasta 0.21). Este problema ha sido resuelto en versiones 0.21.30, 0.22.5, 0.23.4 y 1.0.0-M27 llevan a cabo lo siguiente. Como cuesti\u00f3n de pr\u00e1ctica, los servicios http4s y las aplicaciones cliente deber\u00edan sanear cualquier entrada del usuario en los campos mencionados antes de devolver una petici\u00f3n o respuesta al backend. Los caracteres carriage return, newline y null son los m\u00e1s amenazantes"}], "id": "CVE-2021-41084", "lastModified": "2024-11-21T06:25:25.353", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-21T18:15:07.427", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}