Description

Http4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response. The contents and other metadata about the directory are not exposed. This affects http4s versions: 0.21.7 through 0.21.23, 0.22.0-M1 through 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 through 1.0.0-M22. The [patch](https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9) is available in the following versions: v0.21.24, v0.22.0-M9, v0.23.0-M2, v1.0.0-M23. As a workaround users can avoid calling `StaticFile.fromUrl` with non-file URLs.

Remediation

References

https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6

https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9

https://mvnrepository.com/artifact/org.http4s/http4s-core

Related Vulnerabilities

CVE-2023-27495 Vulnerability in npm package @fastify/csrf-protection

CVE-2014-125087 Vulnerability in maven package com.jamesmurty.utils:java-xmlbuilder

CVE-2019-10746 Vulnerability in npm package mixin-deep

CVE-2019-16772 Vulnerability in npm package serialize-javascript

CVE-2023-33246 Vulnerability in maven package org.apache.rocketmq:rocketmq-namesrv

Severity

Medium

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Tags

Patch Third Party Advisory