CVE-2023-22465 - Vulnerability Details

Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Typelevel	Http4s

Configuration 1 [-]

OR	cpe:2.3:a:typelevel:http4s::::::::
	cpe:2.3:a:typelevel:http4s::::::::
	cpe:2.3:a:typelevel:http4s::::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone1::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone10::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone11::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone12::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone13::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone14::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone15::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone16::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone17::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone18::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone19::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone2::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone20::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone21::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone22::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone23::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone24::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone25::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone26::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone27::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone28::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone29::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone3::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone30::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone31::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone32::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone33::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone34::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone35::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone36::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone37::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone4::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone5::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone6::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone7::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone8::::::
	cpe:2.3:a:typelevel:http4s:1.0.0:milestone9::::::

No data.

References

Link	Providers
https://github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-01-04T15:30:04.129Z

Updated: 2024-08-02T10:13:48.417Z

Reserved: 2022-12-29T03:00:40.879Z

Link: CVE-2023-22465

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-04T16:15:09.323

Modified: 2024-11-21T07:44:51.550

Link: CVE-2023-22465

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object