Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original `CORS` implementation and `CORSConfig` are deprecated. See the GitHub GHSA for more information, including code examples and workarounds.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N
Vendors Products
Typelevel
  • Http4s

Configuration 1 [-]

OR cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:0.23.0:*:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:0.23.1:*:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone23:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone24:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*
References
Link Resource
https://github.com/http4s/http4s/releases/tag/v0.23.2 Third Party Advisory
https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6 Patch Third Party Advisory
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-09-01T19:25:09

Updated: 2021-09-01T19:25:09

Reserved: 2021-08-16T00:00:00

Link: CVE-2021-39185

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2021-09-01T20:15:07.447

Modified: 2021-09-15T00:12:23.797

Link: CVE-2021-39185

JSON object: View

cve-icon Redhat Information

No data.

CWE