CVE Vulnerability

CVE-2020-5280

http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca Patch
https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec Patch
https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b Patch
https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*
Information

Published : 2020-03-25 06:15

Updated : 2020-03-30 05:48

NVD link : CVE-2020-5280

Mitre link : CVE-2020-5280

Products Affected
No products.
CWE
CWE-22