Thomas Gøytil

**Name of the Vulnerable Software and Affected Versions** http4s versions prior to 0.18.26 http4s versions prior to 0.20.20 http4s versions prior to 0.21.2 **Description** The issue applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService, and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly, allowing requests with path info containing ../ or // to expose resources outside of the configured location. This can lead to exposure of files on the local file system or resources on the class path. The vulnerability also involves prefix matching and URI decoding issues, which can cause incorrect exposure of resources. **Recommendations** For versions prior to 0.18.26, upgrade to version 0.18.26 or later. For versions prior to 0.20.20, upgrade to version 0.20.20 or later. For versions prior to 0.21.2, upgrade to version 0.21.2 or later. As a temporary workaround, consider copying the patched FileService.scala, ResourceService.scala, and WebjarService.scala from the appropriate release series into your project and recompiling with that, changing the package name and reference in your application. Users of a servlet backend can use the servlet container's file serving capabilities as an alternative.

**Name of the Vulnerable Software and Affected Versions** Kibana versions 5.3.0 and later **Description** The issue is related to a cross-site scripting (XSS) vulnerability in the Discover page. This could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. **Recommendations** For versions 5.3.0 and later, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.