Home

CVE-2021-39185

Description

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original CORS implementation and CORSConfig are deprecated. See the GitHub GHSA for more information, including code examples and workarounds.

Risk Information

Base Score
9.1
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score
Exploitation Probability
0.169

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2021-39185 are fixed in http4s--server 0.21.27Windows
Vulnerabilities CVE-2021-39185 are fixed in http4s--server 0.22.3Windows
Vulnerabilities CVE-2021-39185 are fixed in http4s--server 0.23.2Windows
Vulnerabilities CVE-2021-39185 are fixed in http4s--server_2.12 0.21.27Windows
Vulnerabilities CVE-2021-39185 are fixed in http4s--server_2.12 0.22.3Windows
Vulnerabilities CVE-2021-39185 are fixed in http4s--server_2.12 0.23.2Windows
Vulnerabilities CVE-2021-39185 are fixed in Http4s - http4s-server_2.13 0.21.27Windows
Vulnerabilities CVE-2021-39185 are fixed in Http4s - http4s-server_2.13 0.22.3Windows
Vulnerabilities CVE-2021-39185 are fixed in Http4s - http4s-server_2.13 0.23.2Windows
Vulnerabilities CVE-2021-39185 are fixed in Http4s - http4s-server_3 0.22.3Windows
Vulnerabilities CVE-2021-39185 are fixed in Http4s - http4s-server_3 0.23.2Windows
Vulnerabilities CVE-2021-39185 are affected in Http4s - http4s-server_2.10 0.21.26Windows
Vulnerabilities CVE-2021-39185 are affected in Http4s - http4s-server_2.11 0.21.26Windows
Vulnerabilities CVE-2021-39185 are affected in Http4s - http4s-server_2.13.0-M5 0.21.26Windows
Vulnerabilities CVE-2021-39185 are fixed in http4s--server for Linux 0.21.27Linux
Vulnerabilities CVE-2021-39185 are fixed in http4s--server for Linux 0.22.3Linux
Vulnerabilities CVE-2021-39185 are fixed in http4s--server for Linux 0.23.2Linux
Vulnerabilities CVE-2021-39185 are fixed in http4s--server_2.12 for Linux 0.21.27Linux
Vulnerabilities CVE-2021-39185 are fixed in http4s--server_2.12 for Linux 0.22.3Linux
Vulnerabilities CVE-2021-39185 are fixed in http4s--server_2.12 for Linux 0.23.2Linux
Vulnerabilities CVE-2021-39185 are fixed in Http4s - http4s-server_2.13 for Linux 0.21.27Linux
Vulnerabilities CVE-2021-39185 are fixed in Http4s - http4s-server_2.13 for Linux 0.22.3Linux
Vulnerabilities CVE-2021-39185 are fixed in Http4s - http4s-server_2.13 for Linux 0.23.2Linux
Vulnerabilities CVE-2021-39185 are fixed in Http4s - http4s-server_3 for Linux 0.22.3Linux
Vulnerabilities CVE-2021-39185 are fixed in Http4s - http4s-server_3 for Linux 0.23.2Linux
Vulnerabilities CVE-2021-39185 are affected in Http4s - http4s-server_2.10 for Linux 0.21.26Linux
Vulnerabilities CVE-2021-39185 are affected in Http4s - http4s-server_2.11 for Linux 0.21.26Linux
Vulnerabilities CVE-2021-39185 are affected in Http4s - http4s-server_2.13.0-M5 for Linux 0.21.26Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234