WARNING: This app contains security vulnerabilities. AltoroJ is a sample banking J2EE web application. It shows what happens when web applications are written with consideration of app functionality but not app security. It's a simple and uncluttered platform for demonstrating and learning more about real-life application security issues.
Apache License 2.0
0
stars
0
forks
source link
swagger-ui-bundle-3.19.3.js: 1 vulnerabilities (highest severity is: 4.3) #11
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.
Mend Note: Converted from WS-2021-0461, on 2022-12-21.
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.19.3/swagger-ui-bundle.js
Path to dependency file: /WebContent/swagger/index.html
Path to vulnerable library: /WebContent/swagger/./swagger-ui-bundle.js
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2018-25031
### Vulnerable Library - swagger-ui-bundle-3.19.3.jsSwagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.19.3/swagger-ui-bundle.js
Path to dependency file: /WebContent/swagger/index.html
Path to vulnerable library: /WebContent/swagger/./swagger-ui-bundle.js
Dependency Hierarchy: - :x: **swagger-ui-bundle-3.19.3.js** (Vulnerable Library)
Found in base branch: AltoroJ-3.2
### Vulnerability DetailsSwagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others. Mend Note: Converted from WS-2021-0461, on 2022-12-21.
Publish Date: 2022-03-11
URL: CVE-2018-25031
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-qrmm-w75w-3wpx
Release Date: 2022-03-11
Fix Resolution: swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3