CVE-2020-5280 - OpenCVE

http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Typelevel	Http4s

Configuration 1 [-]

OR	cpe:2.3:a:typelevel:http4s::::::::
	cpe:2.3:a:typelevel:http4s::::::::
	cpe:2.3:a:typelevel:http4s::::::::

References

Link	Resource
https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec	Patch
https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca	Patch
https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b	Patch
https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-03-25T17:45:17

Updated: 2020-03-25T17:45:17

Reserved: 2020-01-02T00:00:00

Link: CVE-2020-5280

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-03-25T18:15:14.237

Modified: 2020-03-30T17:48:39.947

Link: CVE-2020-5280

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "http4s", "vendor": "http4s", "versions": [{"status": "affected", "version": "< 0.18.26"}, {"status": "affected", "version": ">= 0.19.0, < 0.20.20"}, {"status": "affected", "version": ">= 0.21.0, < 0.21.2"}]}], "descriptions": [{"lang": "en", "value": "http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-25T17:45:17", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b"}], "source": {"advisory": "GHSA-66q9-f7ff-mmx6", "discovery": "UNKNOWN"}, "title": "Local file inclusion vulnerability in http4s", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5280", "STATE": "PUBLIC", "TITLE": "Local file inclusion vulnerability in http4s"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "http4s", "version": {"version_data": [{"version_value": "< 0.18.26"}, {"version_value": ">= 0.19.0, < 0.20.20"}, {"version_value": ">= 0.21.0, < 0.21.2"}]}}]}, "vendor_name": "http4s"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-23: Relative Path Traversal"}]}]}, "references": {"reference_data": [{"name": "https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6", "refsource": "CONFIRM", "url": "https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6"}, {"name": "https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec", "refsource": "MISC", "url": "https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec"}, {"name": "https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca", "refsource": "MISC", "url": "https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca"}, {"name": "https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b", "refsource": "MISC", "url": "https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b"}]}, "source": {"advisory": "GHSA-66q9-f7ff-mmx6", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5280", "datePublished": "2020-03-25T17:45:17", "dateReserved": "2020-01-02T00:00:00", "dateUpdated": "2020-03-25T17:45:17", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8F27ABA-D902-4EFB-AA8A-1C1A3637517A", "versionEndExcluding": "0.18.26", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*", "matchCriteriaId": "1B72AEE1-950A-4AB8-9620-A9E4DE39ACEB", "versionEndExcluding": "0.20.20", "versionStartIncluding": "0.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*", "matchCriteriaId": "15358AD5-7CD3-4EC2-B986-6115420D15D8", "versionEndExcluding": "0.21.2", "versionStartIncluding": "0.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported."}, {"lang": "es", "value": "http4s versiones anteriores a 0.18.26, 0.20.20 y 0.21.2, presenta una vulnerabilidad de inclusi\u00f3n de archivos local. Esta vulnerabilidad se aplica a todos los usuarios de org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService y org.http4s.server.staticcontent.WebjarService. La normalizaci\u00f3n de URI es aplicada incorrectamente. Las peticiones cuya informaci\u00f3n de ruta contiene ../ o // pueden exponer recursos fuera de la ubicaci\u00f3n configurada. Este problema est\u00e1 parcheado en las versiones 0.18.26, 0.20.20 y 0.21.2. Tome en cuenta que la versi\u00f3n 0.19.0 es una versi\u00f3n en desuso y nunca ha sido compatible."}], "id": "CVE-2020-5280", "lastModified": "2020-03-30T17:48:39.947", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-03-25T18:15:14.237", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-23"}], "source": "security-advisories@github.com", "type": "Secondary"}]}