WARNING: This app contains security vulnerabilities. AltoroJ is a sample banking J2EE web application. It shows what happens when web applications are written with consideration of app functionality but not app security. It's a simple and uncluttered platform for demonstrating and learning more about real-life application security issues.
Apache License 2.0
0
stars
0
forks
source link
swagger-ui-2.1.2.min.js: 4 vulnerabilities (highest severity is: 7.3) - autoclosed #9
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - swagger-ui-2.1.2.min.js
Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/2.1.2/swagger-ui.min.js
Path to vulnerable library: /WebContent/swagger/swagger-ui.min.js
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2016-0034
### Vulnerable Library - swagger-ui-2.1.2.min.jsSwagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/2.1.2/swagger-ui.min.js
Path to vulnerable library: /WebContent/swagger/swagger-ui.min.js
Dependency Hierarchy: - :x: **swagger-ui-2.1.2.min.js** (Vulnerable Library)
Found in base branch: AltoroJ-3.2
### Vulnerability DetailsSwagger-ui has vulnerability when "Produces" and "consumes" Content-types in schema are not escaped and allow XSS
Publish Date: 2016-01-13
URL: WS-2016-0034
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2016-01-13
Fix Resolution: v2.1.5
CVE-2016-1000233
### Vulnerable Library - swagger-ui-2.1.2.min.jsSwagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/2.1.2/swagger-ui.min.js
Path to vulnerable library: /WebContent/swagger/swagger-ui.min.js
Dependency Hierarchy: - :x: **swagger-ui-2.1.2.min.js** (Vulnerable Library)
Found in base branch: AltoroJ-3.2
### Vulnerability Detailsswagger-ui before 2.2.1 automatically executes external Javascript that is loaded in via the url query string parameter
Publish Date: 2019-07-11
URL: CVE-2016-1000233
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082
Release Date: 2019-07-11
Fix Resolution: 2.2.1
CVE-2016-1000229
### Vulnerable Library - swagger-ui-2.1.2.min.jsSwagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/2.1.2/swagger-ui.min.js
Path to vulnerable library: /WebContent/swagger/swagger-ui.min.js
Dependency Hierarchy: - :x: **swagger-ui-2.1.2.min.js** (Vulnerable Library)
Found in base branch: AltoroJ-3.2
### Vulnerability Detailsswagger-ui has XSS in key names
Publish Date: 2019-12-20
URL: CVE-2016-1000229
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.npmjs.com/advisories/126
Release Date: 2019-12-20
Fix Resolution: 2.2.1
CVE-2018-25031
### Vulnerable Library - swagger-ui-2.1.2.min.jsSwagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API
Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/2.1.2/swagger-ui.min.js
Path to vulnerable library: /WebContent/swagger/swagger-ui.min.js
Dependency Hierarchy: - :x: **swagger-ui-2.1.2.min.js** (Vulnerable Library)
Found in base branch: AltoroJ-3.2
### Vulnerability DetailsSwagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
Publish Date: 2022-03-11
URL: CVE-2018-25031
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-qrmm-w75w-3wpx
Release Date: 2022-03-11
Fix Resolution: swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3