Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk: Medium] User Interface (UI) Misrepresentation of Critical Information (03/08/2022) #5007

Closed
1 task done
pkfec opened this issue Dec 15, 2021 · 1 comment
Closed
1 task done

[Snyk: Medium] User Interface (UI) Misrepresentation of Critical Information (03/08/2022) #5007

pkfec opened this issue Dec 15, 2021 · 1 comment
Assignees
@pkfec
Labels
Security: moderate Remediate within 60 days
Milestone
Sprint 17.4

Comments

@pkfec
Copy link
Contributor

pkfec commented Dec 15, 2021
edited

Overview:

Swagger-ui-dist is a module that exposes Swagger-UI's entire dist folder as a dependency-free npm module. Use swagger-ui instead, if you'd like to have npm install dependencies for you.

Affected versions of this package are vulnerable to User Interface (UI) Misrepresentation of Critical Information via the ?url parameter, which was intended to allow displaying remote OpenAPI definitions. This functionality may pose a risk for users who host their own SwaggerUI instances. In particular, including remote OpenAPI definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances.

https://security.snyk.io/vuln/SNYK-JS-SWAGGERUIDIST-2314884

Detailed paths:

Introduced through: swagger-ui-dist@3.22.0

Remediation:

Refer to completion criteria

Completion criteria:

  • Update swagger-ui-dist to 4.1.3 or higher
@pkfec pkfec added the Security: moderate Remediate within 60 days label Dec 15, 2021
@pkfec pkfec mentioned this issue Dec 15, 2021
Closed
1 task
@pkfec pkfec mentioned this issue Dec 22, 2021
Closed
This was referenced Dec 29, 2021
Closed
Closed
@patphongs patphongs added this to the Sprint 17.3 milestone Jan 10, 2022
@pkfec pkfec mentioned this issue Jan 12, 2022
Closed
1 task
@fec-jli fec-jli mentioned this issue Jan 19, 2022
Closed
@patphongs patphongs mentioned this issue Jan 27, 2022
Closed
1 task
@cnlucas cnlucas mentioned this issue Feb 2, 2022
Closed
@hcaofec hcaofec mentioned this issue Feb 9, 2022
Closed
1 task
@patphongs patphongs mentioned this issue Feb 16, 2022
Closed
@pkfec pkfec mentioned this issue Feb 23, 2022
Closed
@pkfec pkfec modified the milestones: Sprint 17.3, Sprint 17.4 Feb 28, 2022
@pkfec pkfec mentioned this issue Mar 1, 2022
Merged
@pkfec
Copy link
Contributor Author

pkfec commented Mar 2, 2022

Merged PR #5060. Closing this issue.

@pkfec pkfec closed this as completed Mar 2, 2022
@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pkfec pkfec

Labels
Security: moderate Remediate within 60 days
Projects
None yet
Milestone
Sprint 17.4
Development

No branches or pull requests
3 participants
@pkfec @patphongs @JonellaCulmer