CVE-2021-39185

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-39185
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-39185.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-39185
Aliases
Related
Published
2021-09-01T20:15:07Z
Modified
2025-02-14T11:31:29.813916Z
Summary
[none]
Details

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original CORS implementation and CORSConfig are deprecated. See the GitHub GHSA for more information, including code examples and workarounds.

References

Affected packages

Git / github.com/http4s/http4s

Affected ranges

Type
GIT
Repo
https://github.com/http4s/http4s
Events
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Last affected
Introduced
Last affected
Last affected
Last affected
Last affected
Last affected

Affected versions

v0.*

v0.22.0
v0.22.1
v0.23.0
v0.23.0-M1
v0.23.0-RC1

v1.*

v1.0.0-M11
v1.0.0-M12
v1.0.0-M13
v1.0.0-M14
v1.0.0-M15
v1.0.0-M16
v1.0.0-M17
v1.0.0-M18
v1.0.0-M19
v1.0.0-M20
v1.0.0-M21
v1.0.0-M22
v1.0.0-M23