CVE-2021-23339 (Medium) detected in akka-http-core_2.12-10.0.15.jar

[mend-for-github-com]

CVE-2021-23339 - Medium Severity Vulnerability

Vulnerable Library - akka-http-core_2.12-10.0.15.jar

akka-http-core

Library home page: https://akka.io

Path to dependency file: superglue/api/build.gradle

Path to vulnerable library: /tmp/ws-ua_20200424203945/downloadResource_4b8df0d7-6a8c-4c14-9fc3-517987ee2474/20200424204519/akka-http-core_2.12-10.0.15.jar,/tmp/ws-ua_20200424203945/downloadResource_4b8df0d7-6a8c-4c14-9fc3-517987ee2474/20200424204519/akka-http-core_2.12-10.0.15.jar

Dependency Hierarchy:

• scalatestplus-play_2.12-3.1.2.jar (Root Library)
  • play-test_2.12-2.6.21.jar
    • play-akka-http-server_2.12-2.6.21.jar
      • ❌ akka-http-core_2.12-10.0.15.jar (Vulnerable Library)

Vulnerability Details

This affects all versions before 10.1.14 and from 10.2.0 to 10.2.4 of package com.typesafe.akka:akka-http-core. It allows multiple Transfer-Encoding headers.

Publish Date: 2021-02-17

URL: CVE-2021-23339

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.