CVE-2021-32643: Path Traversal

May 27, 2021 (updated June 10, 2021)

Http4s is a Scala interface for HTTP services. StaticFile.fromUrl can leak the presence of a directory on a server when the URL scheme is not file://, and the URL points to a fetchable resource under its scheme and authority. The function returns F[None], indicating no resource, if url.getFile is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the response. The contents and other metadata about the directory are not exposed.

References

nvd.nist.gov/vuln/detail/CVE-2021-32643

Code Behaviors & Features

Detect and mitigate CVE-2021-32643 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →