Skip to main content

Improper Input Validation

CVE-2023-22465

Severity Medium
Score 5.3/10

Summary

Http4s is a Scala interface for HTTP services. Starting with version 0.1.x prior to 0.21.34, 0.22.x prior to 0.22.15, 0.23.x prior to 0.23.17, and 1.0.0-x prior to 1.0.0-M38, the "User-Agent" and "Server" header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • LOW

CWE-20 - Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Advisory Timeline

  • Published