CVE-2021-41084
Description
http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (Header.name), Header values (Header.value), Status reason phrases (Status.reason), URI paths (Uri.Path), URI authority registered names (URI.RegName) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.
Risk Information
Base Score
4.7
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
EPSS Score
Exploitation Probability
0.451
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2021-41084 are fixed in http4s--server 0.21.29 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--server 0.22.5 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--server 0.23.4 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--client 0.21.29 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--client 0.22.5 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--client 0.23.4 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--server_2.12 0.21.29 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--server_2.12 0.22.5 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--server_2.12 0.23.4 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-server_2.13 0.21.29 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-server_2.13 0.22.5 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-server_2.13 0.23.4 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-server_3 0.22.5 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-server_3 0.23.4 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_2.12 0.21.29 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_2.12 0.22.5 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_2.12 0.23.4 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_2.13 0.21.29 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_2.13 0.22.5 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_2.13 0.23.4 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_3 0.21.29 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_3 0.22.5 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_3 0.23.4 | Windows |
| Vulnerabilities CVE-2021-41084 are affected in Http4s - http4s-server_2.10 0.21.28 | Windows |
| Vulnerabilities CVE-2021-41084 are affected in Http4s - http4s-server_2.11 0.21.28 | Windows |
| Vulnerabilities CVE-2021-41084 are affected in Http4s - http4s-server_2.13.0-M5 0.21.28 | Windows |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--server for Linux 0.21.29 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--server for Linux 0.22.5 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--server for Linux 0.23.4 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--client for Linux 0.21.29 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--client for Linux 0.22.5 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--client for Linux 0.23.4 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--server_2.12 for Linux 0.21.29 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--server_2.12 for Linux 0.22.5 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in http4s--server_2.12 for Linux 0.23.4 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-server_2.13 for Linux 0.21.29 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-server_2.13 for Linux 0.22.5 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-server_2.13 for Linux 0.23.4 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-server_3 for Linux 0.22.5 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-server_3 for Linux 0.23.4 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_2.12 for Linux 0.21.29 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_2.12 for Linux 0.22.5 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_2.12 for Linux 0.23.4 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_2.13 for Linux 0.21.29 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_2.13 for Linux 0.22.5 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_2.13 for Linux 0.23.4 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_3 for Linux 0.21.29 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_3 for Linux 0.22.5 | Linux |
| Vulnerabilities CVE-2021-41084 are fixed in Http4s - http4s-client_3 for Linux 0.23.4 | Linux |
| Vulnerabilities CVE-2021-41084 are affected in Http4s - http4s-server_2.10 for Linux 0.21.28 | Linux |
| Vulnerabilities CVE-2021-41084 are affected in Http4s - http4s-server_2.11 for Linux 0.21.28 | Linux |
| Vulnerabilities CVE-2021-41084 are affected in Http4s - http4s-server_2.13.0-M5 for Linux 0.21.28 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234