Typelevel http4s 1.0.0 Milestone 26

CPE Details

Typelevel http4s 1.0.0 Milestone 26
typelevel
http4s
1.0.0
2021-10-04
14h19 +00:00
2021-10-04
14h24 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:typelevel:http4s:1.0.0:milestone26:*:*:*:*:*:*

Informations

Vendor

typelevel

Product

http4s

Version

1.0.0

Update

milestone26

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2023-22465 2023-01-04 15h30 +00:00 Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface.
7.5
High
CVE-2021-41084 2021-09-21 15h20 +00:00 http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`å), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.
8.7
High