Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01NHc2LXZ4ZmgtZnc3Zs4AAwyX
Http4s improperly parses User-Agent and Server headers
Impact
The User-Agent and Server header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers.
v0.21.x
val unsafe: Option[`User-Agent`] = req.headers.get(`User-Agent`)
v0.22.x, v0.23.x, v1.x
val unsafe: Option[`User-Agent`] = req.headers.get[`User-Agent`]
val alsoUnsafe: Option[`Server`] = req.headers.get[Server]
Patches
Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38.
Workarounds
Use the weakly typed header interface
v0.21.x
val safe: Option[Header] = req.headers.get("User-Agent".ci)
// but don't do this
val unsafe = header.map(_.parsed)
v0.22.x, v0.23.x, v1.x
val safe: Option[Header] = req.headers.get(ci"User-Agent")
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NHc2LXZ4ZmgtZnc3Zs4AAwyX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-54w6-vxfh-fw7f, CVE-2023-22465
References:
- https://github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f
- https://nvd.nist.gov/vuln/detail/CVE-2023-22465
- https://github.com/advisories/GHSA-54w6-vxfh-fw7f
Blast Radius: 1.0
Affected Packages
maven:org.http4s:http4s-core
Affected Version Ranges: >= 1.0.0-M1, < 1.0.0-M38, >= 0.23.0, < 0.23.17, >= 0.22.0, < 0.22.15, >= 0.1.0, < 0.21.34Fixed in: 1.0.0-M38, 0.23.17, 0.22.15, 0.21.34