Local File Inclusion Affecting org.http4s:http4s-server Open this link in a new tab package, versions [0.21.0,0.21.2) [0.19.0,0.20.20) [,0.18.26)

Attack Complexity

Low
User Interaction

Required
Scope

Changed
Confidentiality

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-JAVA-ORGHTTP4S-561337
published

26 Mar 2020
disclosed

25 Mar 2020
credit

Thomas Gøytil

Report a new vulnerability Found a mistake?

Introduced: 25 Mar 2020

CVE-2020-5280 Open this link in a new tab CWE-23 Open this link in a new tab

How to fix?

Upgrade org.http4s:http4s-server to version 0.21.2, 0.20.20, 0.18.26 or higher.

Overview

org.http4s:http4s-server is a base library for building http4s servers.

Affected versions of this package are vulnerable to Local File Inclusion. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location.

Local File Inclusion Affecting org.http4s:http4s-server Open this link in a new tab package, versions [0.21.0,0.21.2) [0.19.0,0.20.20) [,0.18.26)

Attack Complexity

User Interaction

Scope

Confidentiality

snyk-id

published

disclosed

credit

Introduced: 25 Mar 2020

How to fix?

Overview

References