Skip to content

Commit 4d82cf5

Browse files
advisory-database[bot]advisory-database[bot]
committed
1 parent ae5e643 commit 4d82cf5

File tree

1 file changed

+307
-8
lines changed

1 file changed

+307
-8
lines changed

advisories/github-reviewed/2021/09/GHSA-5vcm-3xc3-w7x3/GHSA-5vcm-3xc3-w7x3.json

Lines changed: 307 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,13 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-5vcm-3xc3-w7x3",
4-
"modified": "2022-10-25T20:24:37Z",
4+
"modified": "2025-12-11T21:12:05Z",
55
"published": "2021-09-22T19:18:41Z",
66
"aliases": [
77
"CVE-2021-41084"
88
],
99
"summary": "Response Splitting from unsanitized headers",
10-
"details": "### Impact\n\nhttp4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields:\n\n* Header names (`Header.name`å\n* Header values (`Header.value`)\n* Status reason phrases (`Status.reason`)\n* URI paths (`Uri.Path`)\n* URI authority registered names (`URI.RegName`) (through 0.21)\n\nThe following backends render invalid carriage return, newline, or null characters in an unsafe fashion.\n\n| | blaze-server | ember-server | blaze-client | ember-client | jetty-client |\n|:---------------|:-------------|:-------------|:-------------|--------------|--------------|\n| header names | ⚠ | ⚠ | ⚠ | ⚠ | ⚠ | \n| header values | ⚠ | ⚠ | ⚠ | ⚠ | |\n| status reasons | ⚠ | ⚠ | | | |\n| URI paths | | | ⚠ | ⚠ | |\n| URI regnames | | | ⚠ < 0.22 | ⚠ < 0.22 | |\n\nFor example, given the following service:\n\n```scala\nimport cats.effect._\nimport org.http4s._\nimport org.http4s.dsl.io._\nimport org.http4s.server.blaze.BlazeServerBuilder\nimport scala.concurrent.ExecutionContext.global\n\nobject ResponseSplit extends IOApp {\n override def run(args: List[String]): IO[ExitCode] =\n BlazeServerBuilder[IO](global)\n .bindHttp(8080)\n .withHttpApp(httpApp)\n .resource\n .use(_ => IO.never)\n\n val httpApp: HttpApp[IO] =\n HttpApp[IO] { req =>\n req.params.get(\"author\") match {\n case Some(author) =>\n Ok(\"The real content\")\n .map(_.putHeaders(Header(\"Set-Cookie\", s\"author=${author}\")))\n case None =>\n BadRequest(\"No author parameter\")\n }\n }\n}\n```\n\nA clean `author` parameter returns a clean response:\n\n```sh\ncurl -i 'http://localhost:8080/?author=Ross'\n```\n\n```http\nHTTP/1.1 200 OK\nContent-Type: text/plain; charset=UTF-8\nSet-Cookie: author=Ross\nDate: Mon, 20 Sep 2021 04:12:10 GMT\nContent-Length: 16\n\nThe real content\n```\n\nA malicious `author` parameter allows a user-agent to hijack the response from our server and return different content:\n\n```sh\ncurl -i 'http://localhost:8080/?author=hax0r%0d%0aContent-Length:+13%0d%0a%0aI+hacked+you'\n```\n\n```http\nHTTP/1.1 200 OK\nContent-Type: text/plain; charset=UTF-8\nSet-Cookie: author=hax0r\nContent-Length: 13\n\nI hacked you\n```\n\n### Patches\n\nVersions 0.21.29, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following:\n\n* If a status reasoon phrase is invalid, it is dropped. Rendering is optional per spec.\n* If a header name is invalid in a request or response, the header is dropped. There is no way to generically sanitize a header without potentially shadowing a correct one.\n* If a header value is invalid in a request or response, it is sanitized by replacing null (`\\u0000`), carriage return (`\\r`), and newline (`\\n`) with space (` `) characters per spec.\n* If a URI path or registered name is invalid in a request line, the client raises an `IllegalArgumentException`.\n* If a URI registered name is invalid in a host header, the client raises an `IllegalArgumentException`. \n\n### Workarounds\n\nhttp4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.\n\nNot all backends were affected: jetty-server, tomcat-server, armeria, and netty on the server; async-http-client, okhttp-client, armeria, and netty as clients.\n\n### References\n* https://owasp.org/www-community/attacks/HTTP_Response_Splitting\n* https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [GitHub](http://github.com/http4s/http4s)\n* Contact us via the [http4s security policy](https://github.com/http4s/http4s/security/policy)\n",
10+
"details": "### Impact\n\nhttp4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields:\n\n* Header names (`Header.name`å\n* Header values (`Header.value`)\n* Status reason phrases (`Status.reason`)\n* URI paths (`Uri.Path`)\n* URI authority registered names (`URI.RegName`) (through 0.21)\n\nThe following backends render invalid carriage return, newline, or null characters in an unsafe fashion.\n\n| | blaze-server | ember-server | blaze-client | ember-client | jetty-client |\n|:---------------|:-------------|:-------------|:-------------|--------------|--------------|\n| header names | ⚠ | ⚠ | ⚠ | ⚠ | ⚠ | \n| header values | ⚠ | ⚠ | ⚠ | ⚠ | |\n| status reasons | ⚠ | ⚠ | | | |\n| URI paths | | | ⚠ | ⚠ | |\n| URI regnames | | | ⚠ < 0.22 | ⚠ < 0.22 | |\n\nFor example, given the following service:\n\n```scala\nimport cats.effect._\nimport org.http4s._\nimport org.http4s.dsl.io._\nimport org.http4s.server.blaze.BlazeServerBuilder\nimport scala.concurrent.ExecutionContext.global\n\nobject ResponseSplit extends IOApp {\n override def run(args: List[String]): IO[ExitCode] =\n BlazeServerBuilder[IO](global)\n .bindHttp(8080)\n .withHttpApp(httpApp)\n .resource\n .use(_ => IO.never)\n\n val httpApp: HttpApp[IO] =\n HttpApp[IO] { req =>\n req.params.get(\"author\") match {\n case Some(author) =>\n Ok(\"The real content\")\n .map(_.putHeaders(Header(\"Set-Cookie\", s\"author=${author}\")))\n case None =>\n BadRequest(\"No author parameter\")\n }\n }\n}\n```\n\nA clean `author` parameter returns a clean response:\n\n```sh\ncurl -i 'http://localhost:8080/?author=Ross'\n```\n\n```http\nHTTP/1.1 200 OK\nContent-Type: text/plain; charset=UTF-8\nSet-Cookie: author=Ross\nDate: Mon, 20 Sep 2021 04:12:10 GMT\nContent-Length: 16\n\nThe real content\n```\n\nA malicious `author` parameter allows a user-agent to hijack the response from our server and return different content:\n\n```sh\ncurl -i 'http://localhost:8080/?author=hax0r%0d%0aContent-Length:+13%0d%0a%0aI+hacked+you'\n```\n\n```http\nHTTP/1.1 200 OK\nContent-Type: text/plain; charset=UTF-8\nSet-Cookie: author=hax0r\nContent-Length: 13\n\nI hacked you\n```\n\n### Patches\n\nVersions 0.21.29, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following:\n\n* If a status reasoon phrase is invalid, it is dropped. Rendering is optional per spec.\n* If a header name is invalid in a request or response, the header is dropped. There is no way to generically sanitize a header without potentially shadowing a correct one.\n* If a header value is invalid in a request or response, it is sanitized by replacing null (`\\u0000`), carriage return (`\\r`), and newline (`\\n`) with space (` `) characters per spec.\n* If a URI path or registered name is invalid in a request line, the client raises an `IllegalArgumentException`.\n* If a URI registered name is invalid in a host header, the client raises an `IllegalArgumentException`. \n\n### Workarounds\n\nhttp4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.\n\nNot all backends were affected: jetty-server, tomcat-server, armeria, and netty on the server; async-http-client, okhttp-client, armeria, and netty as clients.\n\n### References\n* https://owasp.org/www-community/attacks/HTTP_Response_Splitting\n* https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [GitHub](http://github.com/http4s/http4s)\n* Contact us via the [http4s security policy](https://github.com/http4s/http4s/security/policy)",
1111
"severity": [
1212
{
1313
"type": "CVSS_V3",
@@ -18,7 +18,7 @@
1818
{
1919
"package": {
2020
"ecosystem": "Maven",
21-
"name": "org.http4s:http4s-server"
21+
"name": "org.http4s:http4s-client_2.12"
2222
},
2323
"ranges": [
2424
{
@@ -40,7 +40,117 @@
4040
{
4141
"package": {
4242
"ecosystem": "Maven",
43-
"name": "org.http4s:http4s-client"
43+
"name": "org.http4s:http4s-client_2.12"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "0.22.0"
51+
},
52+
{
53+
"fixed": "0.22.5"
54+
}
55+
]
56+
}
57+
],
58+
"database_specific": {
59+
"last_known_affected_version_range": "<= 0.22.4"
60+
}
61+
},
62+
{
63+
"package": {
64+
"ecosystem": "Maven",
65+
"name": "org.http4s:http4s-client_2.12"
66+
},
67+
"ranges": [
68+
{
69+
"type": "ECOSYSTEM",
70+
"events": [
71+
{
72+
"introduced": "0.23.0"
73+
},
74+
{
75+
"fixed": "0.23.4"
76+
}
77+
]
78+
}
79+
],
80+
"database_specific": {
81+
"last_known_affected_version_range": "<= 0.23.3"
82+
}
83+
},
84+
{
85+
"package": {
86+
"ecosystem": "Maven",
87+
"name": "org.http4s:http4s-client_2.13"
88+
},
89+
"ranges": [
90+
{
91+
"type": "ECOSYSTEM",
92+
"events": [
93+
{
94+
"introduced": "0"
95+
},
96+
{
97+
"fixed": "0.21.29"
98+
}
99+
]
100+
}
101+
],
102+
"database_specific": {
103+
"last_known_affected_version_range": "<= 0.21.28"
104+
}
105+
},
106+
{
107+
"package": {
108+
"ecosystem": "Maven",
109+
"name": "org.http4s:http4s-client_2.13"
110+
},
111+
"ranges": [
112+
{
113+
"type": "ECOSYSTEM",
114+
"events": [
115+
{
116+
"introduced": "0.22.0"
117+
},
118+
{
119+
"fixed": "0.22.5"
120+
}
121+
]
122+
}
123+
],
124+
"database_specific": {
125+
"last_known_affected_version_range": "<= 0.22.4"
126+
}
127+
},
128+
{
129+
"package": {
130+
"ecosystem": "Maven",
131+
"name": "org.http4s:http4s-client_2.13"
132+
},
133+
"ranges": [
134+
{
135+
"type": "ECOSYSTEM",
136+
"events": [
137+
{
138+
"introduced": "0.23.0"
139+
},
140+
{
141+
"fixed": "0.23.4"
142+
}
143+
]
144+
}
145+
],
146+
"database_specific": {
147+
"last_known_affected_version_range": "<= 0.23.3"
148+
}
149+
},
150+
{
151+
"package": {
152+
"ecosystem": "Maven",
153+
"name": "org.http4s:http4s-client_3"
44154
},
45155
"ranges": [
46156
{
@@ -62,7 +172,7 @@
62172
{
63173
"package": {
64174
"ecosystem": "Maven",
65-
"name": "org.http4s:http4s-server"
175+
"name": "org.http4s:http4s-client_3"
66176
},
67177
"ranges": [
68178
{
@@ -84,7 +194,7 @@
84194
{
85195
"package": {
86196
"ecosystem": "Maven",
87-
"name": "org.http4s:http4s-server"
197+
"name": "org.http4s:http4s-client_3"
88198
},
89199
"ranges": [
90200
{
@@ -106,7 +216,196 @@
106216
{
107217
"package": {
108218
"ecosystem": "Maven",
109-
"name": "org.http4s:http4s-client"
219+
"name": "org.http4s:http4s-server_2.10"
220+
},
221+
"ranges": [
222+
{
223+
"type": "ECOSYSTEM",
224+
"events": [
225+
{
226+
"introduced": "0"
227+
},
228+
{
229+
"last_affected": "0.21.28"
230+
}
231+
]
232+
}
233+
]
234+
},
235+
{
236+
"package": {
237+
"ecosystem": "Maven",
238+
"name": "org.http4s:http4s-server_2.11"
239+
},
240+
"ranges": [
241+
{
242+
"type": "ECOSYSTEM",
243+
"events": [
244+
{
245+
"introduced": "0"
246+
},
247+
{
248+
"last_affected": "0.21.28"
249+
}
250+
]
251+
}
252+
]
253+
},
254+
{
255+
"package": {
256+
"ecosystem": "Maven",
257+
"name": "org.http4s:http4s-server_2.12"
258+
},
259+
"ranges": [
260+
{
261+
"type": "ECOSYSTEM",
262+
"events": [
263+
{
264+
"introduced": "0"
265+
},
266+
{
267+
"fixed": "0.21.29"
268+
}
269+
]
270+
}
271+
],
272+
"database_specific": {
273+
"last_known_affected_version_range": "<= 0.21.28"
274+
}
275+
},
276+
{
277+
"package": {
278+
"ecosystem": "Maven",
279+
"name": "org.http4s:http4s-server_2.12"
280+
},
281+
"ranges": [
282+
{
283+
"type": "ECOSYSTEM",
284+
"events": [
285+
{
286+
"introduced": "0.22.0"
287+
},
288+
{
289+
"fixed": "0.22.5"
290+
}
291+
]
292+
}
293+
],
294+
"database_specific": {
295+
"last_known_affected_version_range": "<= 0.22.4"
296+
}
297+
},
298+
{
299+
"package": {
300+
"ecosystem": "Maven",
301+
"name": "org.http4s:http4s-server_2.12"
302+
},
303+
"ranges": [
304+
{
305+
"type": "ECOSYSTEM",
306+
"events": [
307+
{
308+
"introduced": "0.23.0"
309+
},
310+
{
311+
"fixed": "0.23.4"
312+
}
313+
]
314+
}
315+
],
316+
"database_specific": {
317+
"last_known_affected_version_range": "<= 0.23.3"
318+
}
319+
},
320+
{
321+
"package": {
322+
"ecosystem": "Maven",
323+
"name": "org.http4s:http4s-server_2.13"
324+
},
325+
"ranges": [
326+
{
327+
"type": "ECOSYSTEM",
328+
"events": [
329+
{
330+
"introduced": "0"
331+
},
332+
{
333+
"fixed": "0.21.29"
334+
}
335+
]
336+
}
337+
],
338+
"database_specific": {
339+
"last_known_affected_version_range": "<= 0.21.28"
340+
}
341+
},
342+
{
343+
"package": {
344+
"ecosystem": "Maven",
345+
"name": "org.http4s:http4s-server_2.13"
346+
},
347+
"ranges": [
348+
{
349+
"type": "ECOSYSTEM",
350+
"events": [
351+
{
352+
"introduced": "0.22.0"
353+
},
354+
{
355+
"fixed": "0.22.5"
356+
}
357+
]
358+
}
359+
],
360+
"database_specific": {
361+
"last_known_affected_version_range": "<= 0.22.4"
362+
}
363+
},
364+
{
365+
"package": {
366+
"ecosystem": "Maven",
367+
"name": "org.http4s:http4s-server_2.13"
368+
},
369+
"ranges": [
370+
{
371+
"type": "ECOSYSTEM",
372+
"events": [
373+
{
374+
"introduced": "0.23.0"
375+
},
376+
{
377+
"fixed": "0.23.4"
378+
}
379+
]
380+
}
381+
],
382+
"database_specific": {
383+
"last_known_affected_version_range": "<= 0.23.3"
384+
}
385+
},
386+
{
387+
"package": {
388+
"ecosystem": "Maven",
389+
"name": "org.http4s:http4s-server_2.13.0-M5"
390+
},
391+
"ranges": [
392+
{
393+
"type": "ECOSYSTEM",
394+
"events": [
395+
{
396+
"introduced": "0"
397+
},
398+
{
399+
"last_affected": "0.21.28"
400+
}
401+
]
402+
}
403+
]
404+
},
405+
{
406+
"package": {
407+
"ecosystem": "Maven",
408+
"name": "org.http4s:http4s-server_3"
110409
},
111410
"ranges": [
112411
{
@@ -128,7 +427,7 @@
128427
{
129428
"package": {
130429
"ecosystem": "Maven",
131-
"name": "org.http4s:http4s-client"
430+
"name": "org.http4s:http4s-server_3"
132431
},
133432
"ranges": [
134433
{

0 commit comments

Comments
 (0)