CVE-2021-39185

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-39185

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39185.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-39185

Aliases

GHSA-52cf-226f-rhr6

Related

GHSA-52cf-226f-rhr6

Published

2021-09-01T20:15:07.447Z

Modified

2026-04-10T04:37:01.622067Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original CORS implementation and CORSConfig are deprecated. See the GitHub GHSA for more information, including code examples and workarounds.

References

Affected packages

Git / github.com/http4s/http4s

Affected ranges

Type

GIT

Repo

https://github.com/http4s/http4s

Events

Introduced

Last affected

6264fa05386925afd82942976f5606b1d8181099

Introduced

3e98ea4a63e741c7f9d5e917d48d2ee8fab54476

Last affected

cf77cfeb2d0bd09337da0b64a636e29bbfb77d27

Introduced

Last affected

06db471f053023ce3ffd7c568ce46d33551d1d69

Introduced

Last affected

c18c9b3dbb60be3f52d2ed3d74804158bee3b9f5

Introduced

Last affected

756ce63aee681c5b632bbeafe0b8fde2f3d237f4

Introduced

Last affected

d68768bb0936ff8fd1b95bb2d2f006d4d92b627b

Introduced

Last affected

a6edc034138f758697a93aa4985e3621e12a2314

Introduced

Last affected

a8189fc3c885dead089f857728b8d2b20361af6d

Introduced

Last affected

96c1fbefc08b58922bab72f4c0503cf393cdb13d

Introduced

Last affected

bef11333d4e7f85b0387c979f1b30fe91331f313

Introduced

Last affected

5e7be4846286f43a19c801ff9e77a376a35a5378

Introduced

Last affected

8f52735b5362395c86acb3d33c51b9dc3551aa4f

Introduced

Last affected

b4beb2ac80a19ec31a843d7c80c1eff89b682a46

Introduced

Last affected

da5224d0754579c7d8a845f13dbbcb4754aa396d

Introduced

Last affected

cfc696d96e8f1419449bc5cf53f8d394f76cf1b2

Introduced

Last affected

d980b0b88a42026f942c048c6097f92f78ad52f2

Introduced

Last affected

94e23b89b520efb022842fbd404484c674222d2a

Introduced

Last affected

c0165bc83e7f802b7fe9e50aba8bd1fd589d3e2e

Introduced

Last affected

493d5091a891958e24c954c365ac91498106b229

Introduced

Last affected

6227ad21e0ddc372e433d279a7cdde387b0b0e3e

Introduced

Last affected

96f5a9f1c77bf3180d1144d4c040ef3b84af6a99

Introduced

Last affected

cb6639a21181c460af8fd55a8c6326cb37da791f

Introduced

Last affected

6b0d5130177eb7af03c3979b5cf99af70f452fc7

Introduced

Last affected

45c90d58c98e4153e6ed6a355199a394f026d092

Introduced

Last affected

20d0457c207a6e139b47b601fe4aca00c7ec05cf

Introduced

Last affected

83e7ceb76f0a46ba27efd6c1a3b90bd1b2b8fca6

Introduced

Last affected

490f74b689ce543a133c7e033b60cbb94cb9d539

Introduced

Last affected

6676c1e24a4e32e0c6c1a36911f4e6606c10e12b

Fixed

5ebfb746ff98817959cbcce3ab2520342253c608

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.21.26"
        },
        {
            "introduced": "0.22.0"
        },
        {
            "last_affected": "0.22.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.23.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.23.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone10"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone11"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone12"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone13"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone14"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone15"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone16"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone17"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone18"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone19"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone20"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone21"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone22"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone23"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone24"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone5"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone6"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone7"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone8"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.0-milestone9"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.10.0

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.14.1

v0.17.0-M1

v0.18.0

v0.18.0-M1

v0.18.0-M2

v0.18.0-M3

v0.18.0-M4

v0.18.0-M5

v0.18.0-M6

v0.18.0-M7

v0.18.0-M8

v0.18.0-M9

v0.19.0

v0.19.0-M1

v0.19.0-M2

v0.19.0-M3

v0.2.0

v0.20.0

v0.20.0-M1

v0.20.0-M2

v0.20.0-M3

v0.20.0-M4

v0.20.0-M5

v0.20.0-M6

v0.20.0-M7

v0.20.0-RC1

v0.21.0

v0.21.0-M1

v0.21.0-M3

v0.21.0-M4

v0.21.0-M5

v0.21.0-M6

v0.21.0-RC1

v0.21.0-RC2

v0.21.0-RC3

v0.21.0-RC4

v0.21.0-RC5

v0.21.1

v0.21.11

v0.21.12

v0.21.13

v0.21.14

v0.21.15

v0.21.16

v0.21.18

v0.21.19

v0.21.20

v0.21.21

v0.21.22

v0.21.23

v0.21.25

v0.21.26

v0.21.3

v0.21.4

v0.21.5

v0.21.6

v0.21.7

v0.21.8

v0.21.9

v0.22.0-M1

v0.22.0-M3

v0.22.0-M5

v0.22.0-M6

v0.22.0-M7

v0.22.0-M8

v0.22.1

v0.22.2

v0.23.0

v0.23.0-M1

v0.23.1

v0.3.0

v0.5.0

v0.6.0

v0.7.0

v0.8.1

v0.9.0

v1.*

v1.0.0-M1

v1.0.0-M10

v1.0.0-M11

v1.0.0-M12

v1.0.0-M13

v1.0.0-M14

v1.0.0-M15

v1.0.0-M16

v1.0.0-M17

v1.0.0-M18

v1.0.0-M19

v1.0.0-M2

v1.0.0-M20

v1.0.0-M21

v1.0.0-M22

v1.0.0-M23

v1.0.0-M24

v1.0.0-M3

v1.0.0-M4

v1.0.0-M5

v1.0.0-M6

v1.0.0-M7

v1.0.0-M8

v1.0.0-M9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39185.json"