{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54546?format=json","vulnerability_id":"VCID-zpsp-jh45-7ygv","summary":"Path Traversal\nHttp4s is a Scala interface for HTTP services. `StaticFile.fromUrl` can leak the presence of a directory on a server when the `URL` scheme is not `file://`, and the URL points to a fetchable resource under its scheme and authority. The function returns `F[None]`, indicating no resource, if `url.getFile` is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the response. The contents and other metadata about the directory are not exposed.","aliases":[{"alias":"CVE-2021-32643"},{"alias":"GHSA-6h7w-fc84-x7p6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80905?format=json","purl":"pkg:maven/org.http4s/http4s-core@0.21.24","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-core@0.21.24"},{"url":"http://public2.vulnerablecode.io/api/packages/142537?format=json","purl":"pkg:maven/org.http4s/http4s-core@0.22.0-RC1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-core@0.22.0-RC1"},{"url":"http://public2.vulnerablecode.io/api/packages/80906?format=json","purl":"pkg:maven/org.http4s/http4s-core@0.23.0-RC1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-core@0.23.0-RC1"},{"url":"http://public2.vulnerablecode.io/api/packages/80907?format=json","purl":"pkg:maven/org.http4s/http4s-core@1.0.0-M23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-core@1.0.0-M23"},{"url":"http://public2.vulnerablecode.io/api/packages/80887?format=json","purl":"pkg:maven/org.http4s/http4s-core_2.12@1.0.0-M23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-core_2.12@1.0.0-M23"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80899?format=json","purl":"pkg:maven/org.http4s/http4s-core@0.21.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-zpsp-jh45-7ygv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-core@0.21.7"},{"url":"http://public2.vulnerablecode.io/api/packages/80900?format=json","purl":"pkg:maven/org.http4s/http4s-core@0.22.0-M1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-zpsp-jh45-7ygv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-core@0.22.0-M1"},{"url":"http://public2.vulnerablecode.io/api/packages/80901?format=json","purl":"pkg:maven/org.http4s/http4s-core@0.22.0-M8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-zpsp-jh45-7ygv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-core@0.22.0-M8"},{"url":"http://public2.vulnerablecode.io/api/packages/80902?format=json","purl":"pkg:maven/org.http4s/http4s-core@0.23.0-M1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-zpsp-jh45-7ygv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-core@0.23.0-M1"},{"url":"http://public2.vulnerablecode.io/api/packages/80903?format=json","purl":"pkg:maven/org.http4s/http4s-core@1.0.0-M1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-zpsp-jh45-7ygv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-core@1.0.0-M1"},{"url":"http://public2.vulnerablecode.io/api/packages/80904?format=json","purl":"pkg:maven/org.http4s/http4s-core@1.0.0-M22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-zpsp-jh45-7ygv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-core@1.0.0-M22"},{"url":"http://public2.vulnerablecode.io/api/packages/80886?format=json","purl":"pkg:maven/org.http4s/http4s-core_2.12@0.21.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n9x9-k998-77cm"},{"vulnerability":"VCID-zpsp-jh45-7ygv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-core_2.12@0.21.7"},{"url":"http://public2.vulnerablecode.io/api/packages/58863?format=json","purl":"pkg:maven/org.http4s/http4s-core_2.12@0.22.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ykn-yyp7-wbgg"},{"vulnerability":"VCID-83r2-kxmr-zucc"},{"vulnerability":"VCID-zpsp-jh45-7ygv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-core_2.12@0.22.0"},{"url":"http://public2.vulnerablecode.io/api/packages/58865?format=json","purl":"pkg:maven/org.http4s/http4s-core_2.12@0.23.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ykn-yyp7-wbgg"},{"vulnerability":"VCID-83r2-kxmr-zucc"},{"vulnerability":"VCID-zpsp-jh45-7ygv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-core_2.12@0.23.0"},{"url":"http://public2.vulnerablecode.io/api/packages/58867?format=json","purl":"pkg:maven/org.http4s/http4s-core_2.12@1.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ykn-yyp7-wbgg"},{"vulnerability":"VCID-83r2-kxmr-zucc"},{"vulnerability":"VCID-zpsp-jh45-7ygv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-core_2.12@1.0.0"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32643","reference_id":"","reference_type":"","scores":[{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.55023","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32643"},{"reference_url":"https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/http4s/http4s/commit/52e1890665410b4385e37b96bc49c5e3c708e4e9"},{"reference_url":"https://mvnrepository.com/artifact/org.http4s/http4s-core","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://mvnrepository.com/artifact/org.http4s/http4s-core"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32643","reference_id":"CVE-2021-32643","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32643"},{"reference_url":"https://github.com/advisories/GHSA-6h7w-fc84-x7p6","reference_id":"GHSA-6h7w-fc84-x7p6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6h7w-fc84-x7p6"},{"reference_url":"https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6","reference_id":"GHSA-6h7w-fc84-x7p6","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/http4s/http4s/security/advisories/GHSA-6h7w-fc84-x7p6"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":22,"name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","description":"The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":"0.5","weighted_severity":"6.2","risk_score":3.1,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zpsp-jh45-7ygv"}