CVE-2020-5280

http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*

Information

Published : 2020-03-25 18:15

Updated : 2020-03-30 17:48


NVD link : CVE-2020-5280

Mitre link : CVE-2020-5280


JSON object : View

Products Affected

typelevel

  • http4s
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')