CVE-2020-5280: 
Java vulnerability analysis and mitigation

CVE-2020-5280 affects http4s versions before 0.18.26, 0.20.20, and 0.21.2, specifically impacting users of org.http4s.server.staticcontent.FileService, ResourceService, and WebjarService components. The vulnerability was discovered and disclosed in March 2020, involving a local file inclusion vulnerability where URI normalization is applied incorrectly (GitHub Advisory).

The vulnerability stems from incorrect URI normalization where requests containing '../' or '//' in their path info can expose resources outside of the configured location. Additionally, when services are configured with a non-empty pathPrefix that doesn't end in a slash, directories whose names are prefixes of systemPath or pathPrefix become exposed. URI segments are not properly decoded before resource resolution, causing resources with reserved characters to return 404 errors and potentially exposing incorrectly encoded resources (GitHub Advisory).

The vulnerability can lead to exposure of any file on the local file system through FileService and any resource on the class path through ResourceService. When pathPrefix configuration is involved, it can lead to unintended directory exposure. For example, if pathPrefix is /foo and systemPath is /bar, a request to /foobaz/quux.txt could expose file /barbaz/quux.txt, when only files beneath /bar should be accessible (GitHub Advisory).

The recommended mitigation is to upgrade to patched versions: v0.18.26 for 0.18.x series, v0.20.20 for 0.20.x series, or v0.21.2 for 0.21.x series. The patches reject paths with empty segments, '.' segments, or '..' segments with a 400 Bad Request response. If upgrading is not possible, temporary workarounds include copying the fixed service files into the project with modified package names or using servlet container's file serving capabilities for servlet backend users (GitHub Advisory).