CVE-2021-32643 : Security Advisory and Response
Learn about CVE-2021-32643, a vulnerability in Http4s versions 0.21.7 to 1.0.0-M22. Find out the impact of the StaticFile.fromUrl flaw and how to mitigate the risks.
This article provides an overview of CVE-2021-32643, a vulnerability in Http4s that can leak the presence of a directory on a server when handling URLs incorrectly.
Understanding CVE-2021-32643
CVE-2021-32643 is a security vulnerability in Http4s that affects versions 0.21.7 to 0.21.23, 0.22.0-M1 to 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 to 1.0.0-M22.
What is CVE-2021-32643?
Http4s, a Scala interface for HTTP services, contains a flaw in the
StaticFile.fromUrlfile://The Impact of CVE-2021-32643
The vulnerability could allow an attacker to infer the presence of a directory on the server by receiving a 404 response when accessing non-file URLs. It poses a medium severity risk with a CVSS base score of 5.8.
Technical Details of CVE-2021-32643
The vulnerability arises from
StaticFile.fromURLVulnerability Description
The
StaticFile.fromUrlAffected Systems and Versions
Http4s versions 0.21.7 to 0.21.23, 0.22.0-M1 to 0.22.0-M8, 0.23.0-M1, and 1.0.0-M1 to 1.0.0-M22 are impacted by this vulnerability.
Exploitation Mechanism
By making requests to non-file URLs with specific directory paths, an attacker can exploit this vulnerability to deduce the existence of directories on the target server.
Mitigation and Prevention
It is recommended for users to apply the provided patches or workarounds to mitigate the risks associated with CVE-2021-32643.
Immediate Steps to Take
Users should update their Http4s installation to patched versions or avoid using
StaticFile.fromUrlLong-Term Security Practices
Developers are advised to implement secure URL handling practices and regularly update their dependencies to address security vulnerabilities.
Patching and Updates
The patch for CVE-2021-32643 is available in Http4s versions v0.21.24, v0.22.0-M9, v0.23.0-M2, and v1.0.0-M23.