Add CVE-2021-32643 for GHSA-6h7w-fc84-x7p6

This commit is contained in:
Jonathan Moroney 2021-05-27 10:12:41 -07:00
parent 76e4eba9c2
commit e20bf09ed4
No known key found for this signature in database
GPG Key ID: 3F1697A1388A846C

View File

@ -1,18 +1,102 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32643",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "StaticFile.fromUrl can leak presence of a directory"
},
"description": {
"description_data": [
"affects": {
"vendor": {
"vendor_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"product": {
"product_data": [
{
"product_name": "http4s",
"version": {
"version_data": [
{
"version_value": ">= 0.21.7, < 0.21.24"
},
{
"version_value": ">= 0.22.0-M1, <= 0.22.0-M8"
},
{
"version_value": "= 0.23.0-M1"
},
{
"version_value": ">= 1.0.0-M1, < 1.0.0-M23"
}
]
}
}
]
},
"vendor_name": "http4s"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6",
"refsource": "CONFIRM",
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"
},
{
"name": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9",
"refsource": "MISC",
"url": "https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"
},
{
"name": "https://mvnrepository.com/artifact/org.http4s/http4s-core",
"refsource": "MISC",
"url": "https://mvnrepository.com/artifact/org.http4s/http4s-core"
}
]
},
"source": {
"advisory": "GHSA-6h7w-fc84-x7p6",
"discovery": "UNKNOWN"
}
}