swagger-ui-3.2.2.tgz: 15 vulnerabilities (highest severity is: 9.8) - autoclosed

[uriel-mend-app[bot]]

Vulnerable Library - swagger-ui-3.2.2.tgz

[](http://badge.fury.io/js/swagger-ui)

Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-3.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/swagger-ui/package.json

Found in HEAD commit: 98943fc5e9dbd58fabdc161b36a3cafcb66ff5db

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (swagger-ui version)	Fix PR available
CVE-2018-3750	High	9.8	deep-extend-0.4.1.tgz	Transitive	3.26.0	✅
CVE-2019-17495	High	9.8	swagger-ui-3.2.2.tgz	Direct	3.26.0	✅
CVE-2019-10744	High	9.1	lodash-4.17.2.tgz	Transitive	3.26.0	✅
CVE-2021-33623	High	7.5	trim-newlines-1.0.0.tgz	Transitive	3.26.0	✅
CVE-2018-14732	High	7.5	webpack-dev-server-2.5.0.tgz	Transitive	3.26.0	✅
CVE-2019-1010266	Medium	6.5	lodash-4.17.2.tgz	Transitive	3.26.0	✅
CVE-2018-3721	Medium	6.5	lodash-4.17.2.tgz	Transitive	3.26.0	✅
WS-2017-3770	Medium	6.1	autolinker-0.28.1.tgz	Transitive	3.26.0	✅
CVE-2018-16487	Medium	5.6	lodash-4.17.2.tgz	Transitive	3.26.0	✅
WS-2018-0593	Medium	5.5	swagger-ui-3.2.2.tgz	Direct	3.26.0	✅
CVE-2020-7608	Medium	5.3	yargs-parser-4.2.1.tgz	Transitive	3.26.0	✅
WS-2021-0154	Medium	5.3	glob-parent-2.0.0.tgz	Transitive	3.26.0	✅
WS-2019-0540	Medium	5.3	autolinker-0.28.1.tgz	Transitive	3.26.0	✅
WS-2019-0172	Medium	5.0	swagger-ui-3.2.2.tgz	Direct	3.26.0	✅
WS-2019-0171	Medium	5.0	swagger-ui-3.2.2.tgz	Direct	3.26.0	✅

Details

CVE-2018-3750

### Vulnerable Library - deep-extend-0.4.1.tgz

Recursive object extending

Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/deep-extend/package.json

Dependency Hierarchy: - swagger-ui-3.2.2.tgz (Root Library) - :x: **deep-extend-0.4.1.tgz** (Vulnerable Library)

Found in HEAD commit: 98943fc5e9dbd58fabdc161b36a3cafcb66ff5db

Found in base branch: main

### Vulnerability Details

The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

Publish Date: 2018-07-03

URL: CVE-2018-3750

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750

Release Date: 2019-01-24

Fix Resolution (deep-extend): 0.5.1

Direct dependency fix Resolution (swagger-ui): 3.26.0

:rescue_worker_helmet: Automatic Remediation is available for this issue

CVE-2019-17495

### Vulnerable Library - swagger-ui-3.2.2.tgz

[](http://badge.fury.io/js/swagger-ui)

Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-3.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/swagger-ui/package.json

Dependency Hierarchy: - :x: **swagger-ui-3.2.2.tgz** (Vulnerable Library)

Found in HEAD commit: 98943fc5e9dbd58fabdc161b36a3cafcb66ff5db

Found in base branch: main

### Vulnerability Details

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that