GHSA-54w6-vxfh-fw7f

Source

https://github.com/advisories/GHSA-54w6-vxfh-fw7f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-54w6-vxfh-fw7f/GHSA-54w6-vxfh-fw7f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-54w6-vxfh-fw7f

Aliases

CVE-2023-22465

Published

2023-01-06T20:24:36Z

Modified

2023-11-08T04:11:35.798025Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Http4s improperly parses User-Agent and Server headers

Details

Impact

The User-Agent and Server header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers.

v0.21.x

val unsafe: Option[`User-Agent`] = req.headers.get(`User-Agent`)

v0.22.x, v0.23.x, v1.x

val unsafe: Option[`User-Agent`] = req.headers.get[`User-Agent`]
val alsoUnsafe: Option[`Server`] = req.headers.get[Server]

Patches

Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38.

Workarounds

Use the weakly typed header interface

v0.21.x

val safe: Option[Header] = req.headers.get("User-Agent".ci)
// but don't do this
val unsafe = header.map(_.parsed)

v0.22.x, v0.23.x, v1.x

val safe: Option[Header] = req.headers.get(ci"User-Agent")

Database specific

{
    "nvd_published_at": "2023-01-04T16:15:00Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "HIGH",
    "github_reviewed_at": "2023-01-06T20:24:36Z"
}

References

Affected packages

Maven / org.http4s:http4s-core

Package

Name: org.http4s:http4s-core; View open source insights on deps.dev
Purl: pkg:maven/org.http4s/http4s-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.1.0

Fixed

0.21.34

Maven / org.http4s:http4s-core

Package

Name: org.http4s:http4s-core; View open source insights on deps.dev
Purl: pkg:maven/org.http4s/http4s-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.22.0

Fixed

0.22.15

Maven / org.http4s:http4s-core

Package

Name: org.http4s:http4s-core; View open source insights on deps.dev
Purl: pkg:maven/org.http4s/http4s-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.23.0

Fixed

0.23.17

Maven / org.http4s:http4s-core

Package

Name: org.http4s:http4s-core; View open source insights on deps.dev
Purl: pkg:maven/org.http4s/http4s-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0-M1

Fixed

1.0.0-M38