Local File Inclusion Affecting org.http4s:http4s-server Open this link in a new tab package, versions [0.21.0,0.21.2) [0.19.0,0.20.20) [,0.18.26)
Attack Complexity
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-JAVA-ORGHTTP4S-561337
-
published
26 Mar 2020
-
disclosed
25 Mar 2020
-
credit
Thomas Gøytil
Introduced: 25 Mar 2020
CVE-2020-5280 Open this link in a new tabHow to fix?
Upgrade org.http4s:http4s-server
to version 0.21.2, 0.20.20, 0.18.26 or higher.
Overview
org.http4s:http4s-server is a base library for building http4s servers.
Affected versions of this package are vulnerable to Local File Inclusion. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService
, org.http4s.server.staticcontent.ResourceService
and org.http4s.server.staticcontent.WebjarService
. URI normalization is applied incorrectly. Requests whose path info contain ../
or //
can expose resources outside of the configured location.