springfox-swagger-ui-2.4.0.jar: 2 vulnerabilities (highest severity is: 9.8)

[mend-bolt-for-github[bot]]

Vulnerable Library - springfox-swagger-ui-2.4.0.jar

JSON API documentation for spring based applications

Library home page: https://github.com/springfox/springfox

Path to vulnerable library: /lib/springfox-swagger-ui-2.4.0.jar

Found in HEAD commit: bafe36287e51aaacdb1ab47c78bd429757cdc4f2

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (springfox-swagger-ui version)	Remediation Possible**
CVE-2019-17495	Critical	9.8	springfox-swagger-ui-2.4.0.jar	Direct	swagger-ui - 3.23.11, io.springfox:springfox-swagger-ui:2.10.0	❌
CVE-2018-25031	Medium	4.3	springfox-swagger-ui-2.4.0.jar	Direct	swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-17495

### Vulnerable Library - springfox-swagger-ui-2.4.0.jar

JSON API documentation for spring based applications

Library home page: https://github.com/springfox/springfox

Path to vulnerable library: /lib/springfox-swagger-ui-2.4.0.jar

Dependency Hierarchy: - :x: **springfox-swagger-ui-2.4.0.jar** (Vulnerable Library)

Found in HEAD commit: bafe36287e51aaacdb1ab47c78bd429757cdc4f2

Found in base branch: main

### Vulnerability Details

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that