Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

swagger-ui-2.2.10.tgz: 5 vulnerabilities (highest severity is: 9.8) - autoclosed #58

Closed
mend-for-github-com bot opened this issue Mar 13, 2023 · 2 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link
Contributor

Vulnerable Library - swagger-ui-2.2.10.tgz

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-2.2.10.tgz

Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f

Mend has checked all newer package trees, and you are on the least vulnerable package!

Please note: There might be a version that explicitly solves one or more of the vulnerabilities listed below, but we do not recommend it. For more info about the optional fixes, check the section “Details” below.

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (swagger-ui version) Fix PR available
CVE-2019-17495 High 9.8 swagger-ui-2.2.10.tgz Direct N/A
WS-2019-0172 Medium 6.5 swagger-ui-2.2.10.tgz Direct N/A
WS-2019-0236 Medium 6.1 swagger-ui-2.2.10.tgz Direct N/A
CVE-2018-25031 Medium 4.3 swagger-ui-2.2.10.tgz Direct N/A
WS-2019-0171 Medium 4.3 swagger-ui-2.2.10.tgz Direct N/A

Details

CVE-2019-17495

Vulnerable Library - swagger-ui-2.2.10.tgz

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-2.2.10.tgz

Dependency Hierarchy:

  • swagger-ui-2.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f

Found in base branch: main

Vulnerability Details

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

Publish Date: 2019-10-10

URL: CVE-2019-17495

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c427-hjc3-wrfw

Release Date: 2019-10-10

Fix Resolution: swagger-ui - 3.23.11

WS-2019-0172

Vulnerable Library - swagger-ui-2.2.10.tgz

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-2.2.10.tgz

Dependency Hierarchy:

  • swagger-ui-2.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f

Found in base branch: main

Vulnerability Details

swagger-ui before 3.20.9 fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript. that leads to Cross-Site Scripting

Publish Date: 2019-02-23

URL: WS-2019-0172

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/976

Release Date: 2019-02-23

Fix Resolution: 3.20.9

WS-2019-0236

Vulnerable Library - swagger-ui-2.2.10.tgz

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-2.2.10.tgz

Dependency Hierarchy:

  • swagger-ui-2.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f

Found in base branch: main

Vulnerability Details

swagger-ui versions before 3.0.13 are vulnerable to XSS when it fails to sanitize YAML files imported from URLs or copied-pasted. This may allow attackers to execute arbitrary JavaScript.

Publish Date: 2017-06-02

URL: WS-2019-0236

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/985

Release Date: 2017-06-02

Fix Resolution: 3.0.13

CVE-2018-25031

Vulnerable Library - swagger-ui-2.2.10.tgz

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-2.2.10.tgz

Dependency Hierarchy:

  • swagger-ui-2.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f

Found in base branch: main

Vulnerability Details

Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.

Publish Date: 2022-03-11

URL: CVE-2018-25031

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qrmm-w75w-3wpx

Release Date: 2022-03-11

Fix Resolution: swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3

WS-2019-0171

Vulnerable Library - swagger-ui-2.2.10.tgz

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-2.2.10.tgz

Dependency Hierarchy:

  • swagger-ui-2.2.10.tgz (Vulnerable Library)

Found in HEAD commit: 795f07384506c96f6f7522e106379b8f4ee3c48f

Found in base branch: main

Vulnerability Details

swagger-ui before 3.18.0 has Reverse Tabnapping vulnerability. using target='_blank' in anchor tags, allowing attackers to access window.opener for the original page.

Publish Date: 2018-08-02

URL: WS-2019-0171

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/975

Release Date: 2018-08-02

Fix Resolution: 3.18.0

@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Mar 13, 2023
@mend-for-github-com mend-for-github-com bot changed the title swagger-ui-2.2.10.tgz: 5 vulnerabilities (highest severity is: 9.8) swagger-ui-2.2.10.tgz: 5 vulnerabilities (highest severity is: 9.8) - autoclosed Mar 13, 2023
@mend-for-github-com
Copy link
Contributor Author

ℹ️ This issue was automatically closed by Mend because it is a duplicate of an existing issue: #59

@mend-for-github-com mend-for-github-com bot changed the title swagger-ui-2.2.10.tgz: 5 vulnerabilities (highest severity is: 9.8) swagger-ui-2.2.10.tgz: 5 vulnerabilities (highest severity is: 9.8) - autoclosed Mar 13, 2023
@mend-for-github-com
Copy link
Contributor Author

ℹ️ This issue was automatically closed by Mend because it is a duplicate of an existing issue: #59

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Development

No branches or pull requests

0 participants