CVE-2021-41084 Information

Description

http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (Header.nameå) Header values (Header.value) Status reason phrases (Status.reason) URI paths (Uri.Path) URI authority registered names (URI.RegName) (through 0.21). This issue has been resolved in versions 0.21.30 0.22.5 0.23.4 and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return newline and null characters are the most threatening.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Reference

https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8 https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3 https://owasp.org/www-community/attacks/HTTP_Response_Splitting

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

4.7