-
-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
ce15874
commit 367b635
Showing
1 changed file
with
1 addition
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -76,7 +76,7 @@ | |
| which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even | ||
| execute code under some circumstances.</p><h3 id=affected-http4k-modules--versions>Affected http4k modules & versions</h3><ul><li><code>http4k-format-xml</code><ul><li>5.40.0.0 and below</li><li>4.49.0.0 and below</li></ul></li></ul><h3 id=mitigation>Mitigation</h3><p>Users of affected versions should upgrade to the corresponding fixed version as below. http4k EE subscribers can access | ||
| the fixed LTS versions through the dedicated http4k Maven instance. For more details about the http4k EE LTS versions, | ||
| please contact <a href=mailto:[email protected]>http4k enterprise support</a></p><table><thead><tr><th>Version</th><th>Fixed Version</th><th>Availability</th></tr></thead><tbody><tr><td><= 5.40.0.0</td><td>5.41.0.0</td><td>Community & <a href=/enterprise>Enterprise Support</a></td></tr><tr><td><= 4.49.0.0</td><td>4.50.0.0</td><td><a href=/enterprise>Enterprise Support Only</a></td></tr></tbody></table><p>Older, unsupported versions are also affected.</p><h3 id=resolution-timeline>Resolution timeline</h3><table><thead><tr><th>Date/time</th><th>Notes</th></tr></thead><tbody><tr><td>12/12/2024 0949</td><td>Advisory opened by @JAckLosingHeart</td></tr><tr><td>12/12/2024 1004</td><td>Advisory accepted and private fork created</td></tr><tr><td>12/12/2024 1015</td><td>Issue recreated on private fork with failing test.</td></tr><tr><td>12/12/2024 1056</td><td>PR raised on private fork with fix and request for review</td></tr><tr><td>12/12/2024 1226</td><td>PR review and accepted</td></tr><tr><td>12/12/2024 1235</td><td>PR merged</td></tr><tr><td>12/12/2024 1243</td><td>CVE requested from GitHub</td></tr><tr><td>12/12/2024 1502</td><td>CVE number CVE-2024-55875 assigned</td></tr><tr><td>12/12/2024 1530</td><td>Patch applied to http4k-LTS-v4, and http4k EE LTS v4.50.0.0 released to LTS Maven repo</td></tr><tr><td>12/12/2024 1611</td><td>http4k CE v5.41.0.0 released & available in Maven Central</td></tr><tr><td>12/12/2024 1613</td><td>Public disclosure</td></tr></tbody></table><h3>References</h3><ul><li>Full GitHub Advisory: <a href><b></b></a></li><li>NIST CVE Registry: <a href=https://nvd.nist.gov/vuln/detail/CVE-2024-55875><b>https://nvd.nist.gov/vuln/detail/CVE-2024-55875</b></a></li></ul><div class="my-5 d-flex justify-content-center"><a href=../ class="btn btn-primary">All Security Advisories</a></div></article></main></div><footer><div class=container><div class="row pb-3 text-start text-xl-start"><div class="col-md-6 col-lg-3" style=width:200px><a class=p-0 href=https://http4k.org><img src=/images/logo.svg alt=logo width=50%></a><p></p><ul class=list-unstyled><li class="small text-white text-decoration-none">http4k Limited</li><li class="small text-white text-decoration-none">Registered in England & Wales</li><li class="small text-white text-decoration-none">Reg no: 14687467</li></ul></div><div class="col-xs-6 col-md"><h5>About</h5><ul class=list-unstyled><li><a class="small text-white text-decoration-none" href=/overview/>Overview</a></li><li><a class="small text-white text-decoration-none" href=/news/>News</a></li><li><a class="small text-white text-decoration-none" href=/showcase/>Showcase</a></li></ul></div><div class="col-xs-6 col-md"><h5>Learn</h5><ul class=list-unstyled><li><a class="small text-white text-decoration-none" href=/learn/>About the docs</a></li><li><a class="small text-white text-decoration-none" href=/quickstart/>Quickstart</a></li><li><a class="small text-white text-decoration-none" href=/tutorial/>Tutorials</a></li><li><a class="small text-white text-decoration-none" href=/howto/>How-to guides</a></li><li><a class="small text-white text-decoration-none" href=/faq/>FAQ</a></li><li><a class="small text-white text-decoration-none" href=/performance/>Performance</a></li></ul></div><div class="col-xs-6 col-md"><h5>Ecosystem</h5><ul class=list-unstyled><li><a class="small text-white text-decoration-none" href=/ecosystem/>Overview</a></li><li><a class="small text-white text-decoration-none" href=/ecosystem/http4k/>http4k Core</a></li><li><a class="small text-white text-decoration-none" href=/ecosystem/connect/>http4k Connect</a></li><li><a class="small text-white text-decoration-none" href=/ecosystem/changelog/>Changelog</a></li></ul></div><div class="col-xs-6 col-md"><h5>Solutions</h5><ul class=list-unstyled><li><a class="small text-white text-decoration-none" href=/solutions/>Overview</a></li><li><a class="small text-white text-decoration-none" href=/enterprise/>Enterprise Edition</a></li><li><a class="small text-white text-decoration-none" href=/consulting/>Consulting</a></li><li><a class="small text-white text-decoration-none" href=/training/>Developer Training</a></li><li><a class="small text-white text-decoration-none" href=http://http4k.slack.com/>Private Slack</a></li><li><a class="small text-white text-decoration-none" href=/security/>Security Advisories</a></li></ul></div><div class="col-xs-6 col-md"><h5>Community</h5><ul class=list-unstyled><li><a class="small text-white text-decoration-none" href=/community/>Our Community of Contributors</a></li><li><a class="small text-white text-decoration-none" href=https://kotlinlang.slack.com/archives/C5AL3AKUY>Community Slack</a></li><li><a class="small text-white text-decoration-none" href=/code-of-conduct/>Code of Conduct</a></li></ul></div><div class="col-xs-6 col-md"><h5>Toolbox</h5><ul class=list-unstyled><li><a class="small text-white text-decoration-none" href=https://toolbox.http4k.org/>Web</a></li><li><a class="small text-white text-decoration-none" href=https://plugins.jetbrains.com/plugin/25243-http4k-toolbox>IntelliJ</a></li><li><a class="small text-white text-decoration-none" href=https://toolbox.http4k.org/>CLI</a></li></ul></div><div class="col-xs-6 col-md"><h5>Company</h5><ul class=list-unstyled><li><a class="small text-white text-decoration-none" href=/company/>About</a></li><li><a class="small text-white text-decoration-none" href=mailto:[email protected]>Contact</a></li><li><a class="small text-white text-decoration-none" href=https://www.linkedin.com/company/http4k>LinkedIn</a></li><li><a class="small text-white text-decoration-none" href=https://x.com/http4k>X</a></li></ul></div></div></div><div class="row text-center"><div class=col><p class="small text-white text-decoration-none">© 2024 | All Rights Reserved | ||
| please contact <a href=mailto:[email protected]>http4k enterprise support</a></p><table><thead><tr><th>Version</th><th>Fixed Version</th><th>Availability</th></tr></thead><tbody><tr><td><= 5.40.0.0</td><td>5.41.0.0</td><td>Community & <a href=/enterprise>Enterprise Support</a></td></tr><tr><td><= 4.49.0.0</td><td>4.50.0.0</td><td><a href=/enterprise>Enterprise Support Only</a></td></tr></tbody></table><p>Older, unsupported versions are also affected.</p><h3 id=resolution-timeline>Resolution timeline</h3><table><thead><tr><th>Date/time</th><th>Notes</th></tr></thead><tbody><tr><td>12/12/2024 0949</td><td>Advisory opened by @JAckLosingHeart</td></tr><tr><td>12/12/2024 1004</td><td>Advisory accepted and private fork created</td></tr><tr><td>12/12/2024 1015</td><td>Issue recreated on private fork with failing test.</td></tr><tr><td>12/12/2024 1056</td><td>PR raised on private fork with fix and request for review</td></tr><tr><td>12/12/2024 1226</td><td>PR review and accepted</td></tr><tr><td>12/12/2024 1235</td><td>PR merged</td></tr><tr><td>12/12/2024 1243</td><td>CVE requested from GitHub</td></tr><tr><td>12/12/2024 1502</td><td>CVE number CVE-2024-55875 assigned</td></tr><tr><td>12/12/2024 1530</td><td>Patch applied to http4k-LTS-v4, and http4k EE LTS v4.50.0.0 released to LTS Maven repo</td></tr><tr><td>12/12/2024 1611</td><td>http4k CE v5.41.0.0 released & available in Maven Central</td></tr><tr><td>12/12/2024 1613</td><td>Public disclosure</td></tr></tbody></table><h3>References</h3><ul><li>Full GitHub Advisory: <a href=https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw><b>https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw</b></a></li><li>NIST CVE Registry: <a href=https://nvd.nist.gov/vuln/detail/CVE-2024-55875><b>https://nvd.nist.gov/vuln/detail/CVE-2024-55875</b></a></li></ul><div class="my-5 d-flex justify-content-center"><a href=../ class="btn btn-primary">All Security Advisories</a></div></article></main></div><footer><div class=container><div class="row pb-3 text-start text-xl-start"><div class="col-md-6 col-lg-3" style=width:200px><a class=p-0 href=https://http4k.org><img src=/images/logo.svg alt=logo width=50%></a><p></p><ul class=list-unstyled><li class="small text-white text-decoration-none">http4k Limited</li><li class="small text-white text-decoration-none">Registered in England & Wales</li><li class="small text-white text-decoration-none">Reg no: 14687467</li></ul></div><div class="col-xs-6 col-md"><h5>About</h5><ul class=list-unstyled><li><a class="small text-white text-decoration-none" href=/overview/>Overview</a></li><li><a class="small text-white text-decoration-none" href=/news/>News</a></li><li><a class="small text-white text-decoration-none" href=/showcase/>Showcase</a></li></ul></div><div class="col-xs-6 col-md"><h5>Learn</h5><ul class=list-unstyled><li><a class="small text-white text-decoration-none" href=/learn/>About the docs</a></li><li><a class="small text-white text-decoration-none" href=/quickstart/>Quickstart</a></li><li><a class="small text-white text-decoration-none" href=/tutorial/>Tutorials</a></li><li><a class="small text-white text-decoration-none" href=/howto/>How-to guides</a></li><li><a class="small text-white text-decoration-none" href=/faq/>FAQ</a></li><li><a class="small text-white text-decoration-none" href=/performance/>Performance</a></li></ul></div><div class="col-xs-6 col-md"><h5>Ecosystem</h5><ul class=list-unstyled><li><a class="small text-white text-decoration-none" href=/ecosystem/>Overview</a></li><li><a class="small text-white text-decoration-none" href=/ecosystem/http4k/>http4k Core</a></li><li><a class="small text-white text-decoration-none" href=/ecosystem/connect/>http4k Connect</a></li><li><a class="small text-white text-decoration-none" href=/ecosystem/changelog/>Changelog</a></li></ul></div><div class="col-xs-6 col-md"><h5>Solutions</h5><ul class=list-unstyled><li><a class="small text-white text-decoration-none" href=/solutions/>Overview</a></li><li><a class="small text-white text-decoration-none" href=/enterprise/>Enterprise Edition</a></li><li><a class="small text-white text-decoration-none" href=/consulting/>Consulting</a></li><li><a class="small text-white text-decoration-none" href=/training/>Developer Training</a></li><li><a class="small text-white text-decoration-none" href=http://http4k.slack.com/>Private Slack</a></li><li><a class="small text-white text-decoration-none" href=/security/>Security Advisories</a></li></ul></div><div class="col-xs-6 col-md"><h5>Community</h5><ul class=list-unstyled><li><a class="small text-white text-decoration-none" href=/community/>Our Community of Contributors</a></li><li><a class="small text-white text-decoration-none" href=https://kotlinlang.slack.com/archives/C5AL3AKUY>Community Slack</a></li><li><a class="small text-white text-decoration-none" href=/code-of-conduct/>Code of Conduct</a></li></ul></div><div class="col-xs-6 col-md"><h5>Toolbox</h5><ul class=list-unstyled><li><a class="small text-white text-decoration-none" href=https://toolbox.http4k.org/>Web</a></li><li><a class="small text-white text-decoration-none" href=https://plugins.jetbrains.com/plugin/25243-http4k-toolbox>IntelliJ</a></li><li><a class="small text-white text-decoration-none" href=https://toolbox.http4k.org/>CLI</a></li></ul></div><div class="col-xs-6 col-md"><h5>Company</h5><ul class=list-unstyled><li><a class="small text-white text-decoration-none" href=/company/>About</a></li><li><a class="small text-white text-decoration-none" href=mailto:[email protected]>Contact</a></li><li><a class="small text-white text-decoration-none" href=https://www.linkedin.com/company/http4k>LinkedIn</a></li><li><a class="small text-white text-decoration-none" href=https://x.com/http4k>X</a></li></ul></div></div></div><div class="row text-center"><div class=col><p class="small text-white text-decoration-none">© 2024 | All Rights Reserved | ||
| | <a class="text-white text-decoration-none" href=/privacy-policy/>Privacy policy</a> | ||
| | <a class="text-white text-decoration-none" href=/terms-and-conditions/>Terms & conditions</a> | ||
| | <a class="text-white text-decoration-none" href=/disclaimer/>Disclaimer</a> </p></div></div></footer><script src=https://cdn.jsdelivr.net/npm/@docsearch/js@3></script><script type=text/javascript>docsearch({appId:"YCNGOLH2XD",apiKey:"7d482d8fd709c47a83521cc49479d4b1",indexName:"http4k",container:"#searchBox"}),$(document).ready(function(){$(".highlight").each(function(){const e=$('<i class="fs-2 bi bi-clipboard copy-button"></i>');$(this).find("pre").prepend(e),e.on("click",function(){const e=$(this),t=e.parent().find("code").text();navigator.clipboard.writeText(t).then(()=>{e.removeClass("bi-clipboard").addClass("bi-clipboard-check-fill"),setTimeout(()=>{e.removeClass("bi-clipboard-check-fill").addClass("bi-clipboard")},250)}).catch(e=>{console.error("Could not copy text: ",e)})})})})</script></body></html> | ||