springfox-swagger-ui-2.9.2.jar: 3 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com[bot]]

Vulnerable Library - springfox-swagger-ui-2.9.2.jar

JSON API documentation for spring based applications

Library home page: https://github.com/springfox/springfox

Path to dependency file: /backend/pom.xml

Path to vulnerable library: /itory/io/springfox/springfox-swagger-ui/2.9.2/springfox-swagger-ui-2.9.2.jar

Found in HEAD commit: 54081235f8a283d567f5bcfc44a5388f5ddeae3e

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2019-17495	High	9.8	springfox-swagger-ui-2.9.2.jar	Direct	3.23.11	✅
WS-2021-0461	Medium	6.1	springfox-swagger-ui-2.9.2.jar	Direct	swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3	❌
CVE-2018-25031	Medium	4.3	springfox-swagger-ui-2.9.2.jar	Direct	swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3	❌

Details

CVE-2019-17495

### Vulnerable Library - springfox-swagger-ui-2.9.2.jar

JSON API documentation for spring based applications

Library home page: https://github.com/springfox/springfox

Path to dependency file: /backend/pom.xml

Path to vulnerable library: /itory/io/springfox/springfox-swagger-ui/2.9.2/springfox-swagger-ui-2.9.2.jar

Dependency Hierarchy: - :x: **springfox-swagger-ui-2.9.2.jar** (Vulnerable Library)

Found in HEAD commit: 54081235f8a283d567f5bcfc44a5388f5ddeae3e

Found in base branch: master

### Vulnerability Details

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that