DEV-REPO-URIEL / AsafFindingBugs

0 stars 0 forks source link

swagger-ui-3.2.2.tgz: 24 vulnerabilities (highest severity is: 9.8) #1

Open dev-mend-for-github-com[bot] opened 1 year ago

dev-mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - swagger-ui-3.2.2.tgz

[![NPM version](https://badge.fury.io/js/swagger-ui.svg)](http://badge.fury.io/js/swagger-ui)

Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-3.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/swagger-ui/package.json

Found in HEAD commit: 89d1d81dc833ee45673cd2de1f4dcdeb2dfd8b09

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (swagger-ui version) Remediation Possible**
CVE-2022-37601 Critical 9.8 loader-utils-0.2.17.tgz Transitive 3.17.2
CVE-2019-17495 Critical 9.8 swagger-ui-3.2.2.tgz Direct 3.23.11
CVE-2019-10744 Critical 9.1 lodash-4.17.2.tgz Transitive 3.17.2
CVE-2021-33623 High 7.5 trim-newlines-1.0.0.tgz Transitive 3.19.5
CVE-2018-14732 High 7.5 webpack-dev-server-2.5.0.tgz Transitive 3.19.5
CVE-2020-8203 High 7.4 lodash-4.17.2.tgz Transitive 3.17.2
CVE-2018-3750 High 7.3 deep-extend-0.4.1.tgz Transitive 3.14.2
CVE-2021-23337 High 7.2 lodash-4.17.2.tgz Transitive 3.17.2
CVE-2022-46175 High 7.1 json5-0.5.1.tgz Transitive 3.17.2
WS-2019-0172 Medium 6.5 swagger-ui-3.2.2.tgz Direct 3.20.9
CVE-2019-1010266 Medium 6.5 lodash-4.17.2.tgz Transitive 3.17.2
CVE-2018-3721 Medium 6.5 lodash-4.17.2.tgz Transitive 3.11.0
WS-2017-3770 Medium 6.1 autolinker-0.28.1.tgz Transitive 3.26.0
CVE-2018-16487 Medium 5.6 lodash-4.17.2.tgz Transitive 3.17.2
WS-2018-0593 Medium 5.4 swagger-ui-3.2.2.tgz Direct 3.18.0
WS-2019-0540 Medium 5.3 autolinker-0.28.1.tgz Transitive 3.26.0
CVE-2021-26540 Medium 5.3 sanitize-html-1.27.5.tgz Transitive 3.14.1
CVE-2021-26539 Medium 5.3 sanitize-html-1.27.5.tgz Transitive 3.14.1
CVE-2020-7693 Medium 5.3 sockjs-0.3.18.tgz Transitive 3.19.5
CVE-2020-7608 Medium 5.3 yargs-parser-4.2.1.tgz Transitive 3.19.5
CVE-2020-28500 Medium 5.3 lodash-4.17.2.tgz Transitive 3.17.2
WS-2019-0171 Medium 4.3 swagger-ui-3.2.2.tgz Direct 3.18.0
CVE-2020-15168 Low 2.6 node-fetch-1.7.3.tgz Transitive 3.38.0
WS-2021-0154 Medium 0.0 glob-parent-2.0.0.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-37601 ### Vulnerable Library - loader-utils-0.2.17.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-0.2.17.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/worker-loader/node_modules/loader-utils/package.json

Dependency Hierarchy: - swagger-ui-3.2.2.tgz (Root Library) - worker-loader-0.7.1.tgz - :x: **loader-utils-0.2.17.tgz** (Vulnerable Library)

Found in HEAD commit: 89d1d81dc833ee45673cd2de1f4dcdeb2dfd8b09

Found in base branch: main

### Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (swagger-ui): 3.17.2

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-17495 ### Vulnerable Library - swagger-ui-3.2.2.tgz

[![NPM version](https://badge.fury.io/js/swagger-ui.svg)](http://badge.fury.io/js/swagger-ui)

Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-3.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/swagger-ui/package.json

Dependency Hierarchy: - :x: **swagger-ui-3.2.2.tgz** (Vulnerable Library)

Found in HEAD commit: 89d1d81dc833ee45673cd2de1f4dcdeb2dfd8b09

Found in base branch: main

### Vulnerability Details

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that