CVE-2023-22465
Http4s improperly parses User-Agent and Server headers
Description
### Impact The `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. #### v0.21.x ```scala val unsafe: Option[`User-Agent`] = req.headers.get(`User-Agent`) ``` #### v0.22.x, v0.23.x, v1.x ```scala val unsafe: Option[`User-Agent`] = req.headers.get[`User-Agent`] val alsoUnsafe: Option[`Server`] = req.headers.get[Server] ``` ### Patches Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. ### Workarounds #### Use the weakly typed header interface ##### v0.21.x ```scala val safe: Option[Header] = req.headers.get("User-Agent".ci) // but don't do this val unsafe = header.map(_.parsed) ``` ##### v0.22.x, v0.23.x, v1.x ```scala val safe: Option[Header] = req.headers.get(ci"User-Agent") ```
How to fix CVE-2023-22465
To remediate CVE-2023-22465, upgrade the affected package to a fixed version below.
- —no fix listed
- —no fix listed
- —no fix listed
- —upgrade to 0.21.34 or later
- —upgrade to 0.21.34 or later
Is CVE-2023-22465 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- >= 1.0.0-M1, <= 1.0.0-M30
- >= 0.1.0, <= 0.9.3
- >= 0.1.0, <= 0.21.0-M1
- >= 0.1.0, < 0.21.34
- >= 0.1.0, < 0.21.34
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |