admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-08-04 08:44:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Auto-merge PR#1841

Browse Source 
Auto-merge PR#1841
This commit is contained in:
CVE Team 2021-05-27 13:15:18 -04:00 committed by GitHub
commit a079f52974
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 90 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
2021/32xxx/CVE-2021-32643.json
View File

@ -1,18 +1,102 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32643",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "StaticFile.fromUrl can leak presence of a directory"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "http4s",
"version": {
"version_data": [
{
"version_value": ">= 0.21.7, < 0.21.24"
},
{
"version_value": ">= 0.22.0-M1, <= 0.22.0-M8"
},
{
"version_value": "= 0.23.0-M1"
},
{
"version_value": ">= 1.0.0-M1, < 1.0.0-M23"
}
]
}
}
]
},
"vendor_name": "http4s"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6",
"refsource": "CONFIRM",
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
},
{
"name": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9",
"refsource": "MISC",
"url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
},
{
"name": "https://mvnrepository.com/artifact/org.http4s/http4s-core",
"refsource": "MISC",
"url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
}
]
},
"source": {
"advisory": "GHSA-6h7w-fc84-x7p6",
"discovery": "UNKNOWN"
}
}