Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01NHc2LXZ4ZmgtZnc3Zs4AAwyX

Http4s improperly parses User-Agent and Server headers

Impact

The User-Agent and Server header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers.

v0.21.x

val unsafe: Option[`User-Agent`] = req.headers.get(`User-Agent`)

v0.22.x, v0.23.x, v1.x

val unsafe: Option[`User-Agent`] = req.headers.get[`User-Agent`]
val alsoUnsafe: Option[`Server`] = req.headers.get[Server]

Patches

Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38.

Workarounds

Use the weakly typed header interface

v0.21.x
val safe: Option[Header] = req.headers.get("User-Agent".ci)
// but don't do this
val unsafe = header.map(_.parsed) 
v0.22.x, v0.23.x, v1.x
val safe: Option[Header] = req.headers.get(ci"User-Agent")
Permalink: https://github.com/advisories/GHSA-54w6-vxfh-fw7f
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NHc2LXZ4ZmgtZnc3Zs4AAwyX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: almost 2 years ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-54w6-vxfh-fw7f, CVE-2023-22465
References: Repository: https://github.com/http4s/http4s
Blast Radius: 1.0

Affected Packages

maven:org.http4s:http4s-core
Affected Version Ranges: >= 1.0.0-M1, < 1.0.0-M38, >= 0.23.0, < 0.23.17, >= 0.22.0, < 0.22.15, >= 0.1.0, < 0.21.34
Fixed in: 1.0.0-M38, 0.23.17, 0.22.15, 0.21.34