CVE-2021-32643

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-32643

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32643.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-32643

Aliases

GHSA-6h7w-fc84-x7p6

Related

GHSA-6h7w-fc84-x7p6

Published

2021-05-27T18:15:07.903Z

Modified

2026-03-13T22:00:29.798070Z

Severity

5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Http4s is a Scala interface for HTTP services. StaticFile.fromUrl can leak the presence of a directory on a server when the URL scheme is not file://, and the URL points to a fetchable resource under its scheme and authority. The function returns F[None], indicating no resource, if url.getFile is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The patch is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling StaticFile.fromUrl with non-file URLs.

References

Affected packages

Git / github.com/http4s/http4s

Affected ranges

Type

GIT

Repo

https://github.com/http4s/http4s

Events

Introduced

6ad94f6ffeda3644321d85fcaf82d666d996e87a

Fixed

2d2e26171bfc2881ea4b00c42c463d801c777db0

Introduced

Last affected

c56f915bd81c2fe19dcb04e32ad39c3972fac2e1

Introduced

Last affected

d5faa3a6a13a575534af50c0052aee62341b5d74

Introduced

Last affected

03fa2448ba17e828d1700b27afaa2b5a817a4e40

Introduced

Last affected

9ed84d70c38640840b127cb33827a7318cb21d75

Introduced

Last affected

7972cf7e71c8c7fc5c95b28e58a31e21bda912e8

Introduced

Last affected

5dd3e89873e18eefcfb9841821758f81ccfee6be

Introduced

Last affected

a902314bd797b7c53e228afbd4b35c384e3f7a2d

Introduced

Last affected

4905798276768fab5001e743cab2a10bbde7d946

Introduced

Last affected

10b1b45d0b9b509fe8c45a31ba15c3c0ba362a09

Introduced

Last affected

756ce63aee681c5b632bbeafe0b8fde2f3d237f4

Introduced

Last affected

d68768bb0936ff8fd1b95bb2d2f006d4d92b627b

Introduced

Last affected

a6edc034138f758697a93aa4985e3621e12a2314

Introduced

Last affected

a8189fc3c885dead089f857728b8d2b20361af6d

Introduced

Last affected

96c1fbefc08b58922bab72f4c0503cf393cdb13d

Introduced

Last affected

bef11333d4e7f85b0387c979f1b30fe91331f313

Introduced

Last affected

5e7be4846286f43a19c801ff9e77a376a35a5378

Introduced

Last affected

8f52735b5362395c86acb3d33c51b9dc3551aa4f

Introduced

Last affected

b4beb2ac80a19ec31a843d7c80c1eff89b682a46

Introduced

Last affected

da5224d0754579c7d8a845f13dbbcb4754aa396d

Introduced

Last affected

cfc696d96e8f1419449bc5cf53f8d394f76cf1b2

Introduced

Last affected

d980b0b88a42026f942c048c6097f92f78ad52f2

Introduced

Last affected

94e23b89b520efb022842fbd404484c674222d2a

Introduced

Last affected

c0165bc83e7f802b7fe9e50aba8bd1fd589d3e2e

Introduced

Last affected

493d5091a891958e24c954c365ac91498106b229

Introduced

Last affected

cb6639a21181c460af8fd55a8c6326cb37da791f

Introduced

Last affected

6b0d5130177eb7af03c3979b5cf99af70f452fc7

Introduced

Last affected

45c90d58c98e4153e6ed6a355199a394f026d092

Introduced

Last affected

20d0457c207a6e139b47b601fe4aca00c7ec05cf

Introduced

Last affected

83e7ceb76f0a46ba27efd6c1a3b90bd1b2b8fca6

Introduced

Last affected

490f74b689ce543a133c7e033b60cbb94cb9d539

Introduced

Last affected

6676c1e24a4e32e0c6c1a36911f4e6606c10e12b

Fixed

52e1890665410b4385e37b96bc49c5e3c708e4e9

Database specific

{
    "versions": [
        {
            "introduced": "0.21.7"
        },
        {
            "fixed": "0.21.24"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.22.0-milestone1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.22.0-milestone2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.22.0-milestone3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.22.0-milestone4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.22.0-milestone5"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.22.0-milestone6"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.22.0-milestone7"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.22.0-milestone8"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.23.0-milestone1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone10"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone11"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone12"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone13"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone14"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone15"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone16"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone17"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone18"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone19"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone20"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone21"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone22"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone5"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone6"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone7"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone8"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone9"
        }
    ]
}

Affected versions

v0.*

v0.21.11

v0.21.12

v0.21.13

v0.21.14

v0.21.15

v0.21.16

v0.21.18

v0.21.19

v0.21.20

v0.21.21

v0.21.22

v0.21.23

v0.21.7

v0.21.8

v0.21.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32643.json"