CVE-2018-25031 (Medium) detected in swagger-ui-3.19.2.js, swagger-ui-bundle-3.19.2.js

[mend-for-github-com]

CVE-2018-25031 - Medium Severity Vulnerability

Vulnerable Libraries - swagger-ui-3.19.2.js, swagger-ui-bundle-3.19.2.js

swagger-ui-3.19.2.js

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.19.2/swagger-ui.js

Path to vulnerable library: /webapp/static/oas3/swagger-ui.js

Dependency Hierarchy:

• ❌ swagger-ui-3.19.2.js (Vulnerable Library)

swagger-ui-bundle-3.19.2.js

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.19.2/swagger-ui-bundle.js

Path to vulnerable library: /webapp/static/oas3/swagger-ui-bundle.js

Dependency Hierarchy:

• ❌ swagger-ui-bundle-3.19.2.js (Vulnerable Library)

Vulnerability Details

Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.

Publish Date: 2022-03-11

URL: CVE-2018-25031

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qrmm-w75w-3wpx

Release Date: 2022-03-11

Fix Resolution: swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3