springfox-swagger-ui-2.9.2.jar: 2 vulnerabilities (highest severity is: 9.8) unreachable

[mend-for-github-com[bot]]

Vulnerable Library - springfox-swagger-ui-2.9.2.jar

JSON API documentation for spring based applications

Library home page: https://github.com/springfox/springfox

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/springfox/springfox-swagger-ui/2.9.2/springfox-swagger-ui-2.9.2.jar

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (springfox-swagger-ui version)	Remediation Possible**	Reachability
CVE-2019-17495	Critical	9.8	Not Defined	1.7%	springfox-swagger-ui-2.9.2.jar	Direct	swagger-ui - 3.23.11, io.springfox:springfox-swagger-ui:2.10.0	✅	Unreachable
CVE-2018-25031	Medium	4.3	Not Defined	0.4%	springfox-swagger-ui-2.9.2.jar	Direct	swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3	✅	Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-17495

### Vulnerable Library - springfox-swagger-ui-2.9.2.jar

JSON API documentation for spring based applications

Library home page: https://github.com/springfox/springfox

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/springfox/springfox-swagger-ui/2.9.2/springfox-swagger-ui-2.9.2.jar

Dependency Hierarchy: - :x: **springfox-swagger-ui-2.9.2.jar** (Vulnerable Library)

Found in base branch: master

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that