Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Default CORS config allows any origin with credentials
Vulnerability Description
Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original `CORS` implementation and `CORSConfig` are deprecated. See the GitHub GHSA for more information, including code examples and workarounds.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
源验证错误
Vulnerability Title
Http4s访问控制错误漏洞
Vulnerability Description
http4s是一款开源的用于Scala的流HTTP服务器。 Http4s 存在访问控制错误漏洞,该漏洞源于默认 CORS 配置容易受到源反射攻击。以下产品和版本受到影响:0.21.26 及更早版本、0.22.0 到 0.22.2、0.23.0、0.23.1 和 1.0.0-M1 到 1.0.0-M24。
CVSS Information
N/A
Vulnerability Type
N/A