Http4S
CVE-2021-41084
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 18 maven packages depend on org.http4s:http4s-client_2.12 (15 direct, 3 indirect)
- 20 maven packages depend on org.http4s:http4s-client_2.13 (16 direct, 4 indirect)
- 7 maven packages depend on org.http4s:http4s-client_3 (7 direct, 0 indirect)
- 16 maven packages depend on org.http4s:http4s-server_2.12 (8 direct, 8 indirect)
- 18 maven packages depend on org.http4s:http4s-server_2.13 (9 direct, 9 indirect)
Ecosystem-wide dependent count for version 0.22.0 and other introduced versions.
DescriptionNVD
http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (Header.nameå), Header values (Header.value), Status reason phrases (Status.reason), URI paths (Uri.Path), URI authority registered names (URI.RegName) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.
AnalysisAI
http4s is an open source scala interface for HTTP. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (Header.nameå), Header values (Header.value), Status reason phrases (Status.reason), URI paths (Uri.Path), URI authority registered names (URI.RegName) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening. Affected products include: Typelevel Http4S. Version information: through 0.21.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.
Http4s is a Scala interface for HTTP services. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploita
Http4s is a minimal, idiomatic Scala interface for HTTP services. Rated critical severity (CVSS 9.1), this vulnerability
Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Rated high severity (CVSS 7.5),
http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. Rated high severity (CVSS
Http4s is a Scala interface for HTTP services. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploita
Http4s is a Scala interface for HTTP services. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploita
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today