Local File Inclusion Affecting org.http4s:http4s-server Open this link in a new tab package, versions [0.21.0,0.21.2) [0.19.0,0.20.20) [,0.18.26)


0.0
high
  • Attack Complexity

    Low

  • User Interaction

    Required

  • Scope

    Changed

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGHTTP4S-561337

  • published

    26 Mar 2020

  • disclosed

    25 Mar 2020

  • credit

    Thomas Gøytil

How to fix?

Upgrade org.http4s:http4s-server to version 0.21.2, 0.20.20, 0.18.26 or higher.

Overview

org.http4s:http4s-server is a base library for building http4s servers.

Affected versions of this package are vulnerable to Local File Inclusion. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location.