search

Tim-sandbox / barista

Apache License 2.0
0 stars 0 forks source link

CVE-2018-25031 (Medium) detected in swagger-ui-dist-3.48.0.tgz, swagger-ui-bundle-3.48.0.js #142

Open mend-for-github-com[bot] opened 2 years ago

mend-for-github-com[bot] commented 2 years ago

CVE-2018-25031 - Medium Severity Vulnerability

Vulnerable Libraries - swagger-ui-dist-3.48.0.tgz, swagger-ui-bundle-3.48.0.js

swagger-ui-dist-3.48.0.tgz

[![NPM version](https://badge.fury.io/js/swagger-ui-dist.svg)](http://badge.fury.io/js/swagger-ui-dist)

Library home page: https://registry.npmjs.org/swagger-ui-dist/-/swagger-ui-dist-3.48.0.tgz

Path to dependency file: /barista-api/package.json

Path to vulnerable library: /barista-api/node_modules/swagger-ui-dist/package.json

Dependency Hierarchy: - swagger-ui-express-4.1.6.tgz (Root Library) - :x: **swagger-ui-dist-3.48.0.tgz** (Vulnerable Library)

swagger-ui-bundle-3.48.0.js

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.48.0/swagger-ui-bundle.js

Path to dependency file: /barista-api/node_modules/swagger-ui-dist/index.html

Path to vulnerable library: /barista-api/node_modules/swagger-ui-dist/./swagger-ui-bundle.js

Dependency Hierarchy: - :x: **swagger-ui-bundle-3.48.0.js** (Vulnerable Library)

Found in HEAD commit: 2b8e77b2ff0d688bfd2ffb44061287e82fa71967

Found in base branch: master

Vulnerability Details

Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.

Publish Date: 2022-03-11

URL: CVE-2018-25031

CVSS 3 Score Details (4.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-qrmm-w75w-3wpx

Release Date: 2022-03-11

Fix Resolution (swagger-ui-dist): 4.1.3

Direct dependency fix Resolution (swagger-ui-express): 4.2.0

:rescue_worker_helmet: Automatic Remediation is available for this issue