http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2020-03-25T17:45:17
Updated: 2020-03-25T17:45:17
Reserved: 2020-01-02T00:00:00
Link: CVE-2020-5280
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-03-25T18:15:14.237
Modified: 2020-03-30T17:48:39.947
Link: CVE-2020-5280
JSON object: View
Redhat Information
No data.