You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Swashbuckle repackages the swagger-ui-dist npm package and thus inherits a server side request forgery vulnerability outlined in GHSA-qrmm-w75w-3wpx.
This was fixed in Swagger version 4.1.3 and released in Swashbuckle version 6.4 per 401c7cb.
Per discussion in github/advisory-database#900, the ideal security workflow is that the maintainers of the Swashbuckle library should create a separate GitHub Security Advisory in order to alert consumers to the vulnerability and describe any recommended mitigation or upgrade steps.
Per the best practices, I would recommend the advisory contain the following information:
Title: Server side request forgery in Swashbuckle.AspNetCore Ecosystem: Nuget Package Name: Swashbuckle.AspNetCore.SwaggerUI Affected versions: < 6.4 Patched versions: 6.4 Description:
SwaggerUI supports displaying remote OpenAPI definitions through the ?url parameter. This enables robust demonstration capabilities on sites like editor.swagger.io where users often want to see what their OpenAPI definitions would look like rendered.
However, this functionality may pose a risk for users who host their own SwaggerUI instances. In particular, including remote OpenAPI definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances.
Resolution:
Upgrade to Swashbuckle.AspNetCore.SwaggerUI 6.4, which includes a change in the core SwaggerUI library to disable query parameters .
Alternatively, review the provided workaround in GHSA-qrmm-w75w-3wpx to disable the use of the ?url parameter.
The text was updated successfully, but these errors were encountered:
Swashbuckle repackages the
swagger-ui-dist
npm package and thus inherits a server side request forgery vulnerability outlined in GHSA-qrmm-w75w-3wpx.This was fixed in Swagger version 4.1.3 and released in Swashbuckle version 6.4 per 401c7cb.
Per discussion in github/advisory-database#900, the ideal security workflow is that the maintainers of the Swashbuckle library should create a separate GitHub Security Advisory in order to alert consumers to the vulnerability and describe any recommended mitigation or upgrade steps.
Per the best practices, I would recommend the advisory contain the following information:
Title: Server side request forgery in Swashbuckle.AspNetCore
Ecosystem: Nuget
Package Name: Swashbuckle.AspNetCore.SwaggerUI
Affected versions: < 6.4
Patched versions: 6.4
Description:
SwaggerUI supports displaying remote OpenAPI definitions through the
?url
parameter. This enables robust demonstration capabilities on sites likeeditor.swagger.io
where users often want to see what their OpenAPI definitions would look like rendered.However, this functionality may pose a risk for users who host their own SwaggerUI instances. In particular, including remote OpenAPI definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances.
Resolution:
Upgrade to Swashbuckle.AspNetCore.SwaggerUI 6.4, which includes a change in the core SwaggerUI library to disable query parameters .
Alternatively, review the provided workaround in GHSA-qrmm-w75w-3wpx to disable the use of the
?url
parameter.The text was updated successfully, but these errors were encountered: