CVE-2023-22465 – org.http4s:http4s-core

Package

Manager: maven
Name: org.http4s:http4s-core
Vulnerable Version: >=0.1.0 <0.21.34 || >=0.22.0 <0.22.15 || >=0.23.0 <0.23.17 || >=1.0.0-m1 <1.0.0-m38

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00051 pctl0.15628

Details

Http4s improperly parses User-Agent and Server headers ### Impact The `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. #### v0.21.x ```scala val unsafe: Option[`User-Agent`] = req.headers.get(`User-Agent`) ``` #### v0.22.x, v0.23.x, v1.x ```scala val unsafe: Option[`User-Agent`] = req.headers.get[`User-Agent`] val alsoUnsafe: Option[`Server`] = req.headers.get[Server] ``` ### Patches Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. ### Workarounds #### Use the weakly typed header interface ##### v0.21.x ```scala val safe: Option[Header] = req.headers.get("User-Agent".ci) // but don't do this val unsafe = header.map(_.parsed) ``` ##### v0.22.x, v0.23.x, v1.x ```scala val safe: Option[Header] = req.headers.get(ci"User-Agent") ```

Metadata

Created: 2023-01-06T20:24:36Z
Modified: 2023-01-06T20:24:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-54w6-vxfh-fw7f/GHSA-54w6-vxfh-fw7f.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-54w6-vxfh-fw7f
Finding: F184
Auto approve: 1