Ship to swagger ui 3.23.11 to fix vulnerabilities with a CVE identifier. #9331

zhoumeina · 2019-10-08T05:37:09Z

Summary of Issues:

A report in a live service from an external researcher led to an investigation in swagger-ui open source software. This investigation uncovered the following:

swagger-ui does not associate publicly known vulnerabilities with a CVE identifier.
swagger-ui 2.x went EOL in 2017. See: https://github.com/swagger-api/swagger-ui/security/policy
The majority of products consuming swagger-ui are shipping with an EOL 2.x version which contains an unknown number of potentially critical severity vulnerabilities.
As recent as 10 days ago swagger-ui shipped a release with fixed vulnerabilities which were not publicly disclosed with an associated CVE identifier. See: mitigate "sequential @import chaining" vulnerability swagger-api/swagger-ui#5616

Fixed Versions:

swagger-ui v3.23.11: https://github.com/swagger-api/swagger-ui/releases/tag/v3.23.11

zhoumeina · 2019-10-08T05:37:58Z

fixed by pr: #9330

zhoumeina self-assigned this Oct 8, 2019

zhoumeina closed this as completed Oct 8, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ship to swagger ui 3.23.11 to fix vulnerabilities with a CVE identifier. #9331

Ship to swagger ui 3.23.11 to fix vulnerabilities with a CVE identifier. #9331

zhoumeina commented Oct 8, 2019

zhoumeina commented Oct 8, 2019

Ship to swagger ui 3.23.11 to fix vulnerabilities with a CVE identifier. #9331

Ship to swagger ui 3.23.11 to fix vulnerabilities with a CVE identifier. #9331

Comments

zhoumeina commented Oct 8, 2019

zhoumeina commented Oct 8, 2019