Default CORS config allows any origin with credentials
CVE-2021-39185

9.1CRITICAL

Key Information:

Vendor: Http4s
Status: Http4s
Vendor: CVE Published:; 1 September 2021

What is CVE-2021-39185?

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original CORS implementation and CORSConfig are deprecated. See the GitHub GHSA for more information, including code examples and workarounds.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

http4s < 0.21.27 < 0.21.27

http4s >= 0.22.0, < 0.22.3 < 0.22.0, 0.22.3

http4s >= 0.23.0, < 0.23.2 < 0.23.0, 0.23.2

References

https://github.com/http4s/http4s/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/http4s/http4s/releases/tag/v0.23.2

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 1, 2021
Vulnerability Reserved
Aug 16, 2021

JSON

Http4s

What is CVE-2021-39185?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.