CVE-2019-17495 (High) detected in springfox-swagger-ui-2.4.0.jar
Closed this issue · 1 comments
CVE-2019-17495 - High Severity Vulnerability
Vulnerable Library - springfox-swagger-ui-2.4.0.jar
JSON API documentation for spring based applications
Library home page: https://github.com/springfox/springfox
Path to dependency file: /pom.xml
Path to vulnerable library: /er/.m2/repository/io/springfox/springfox-swagger-ui/2.4.0/springfox-swagger-ui-2.4.0.jar
Dependency Hierarchy:
- ❌ springfox-swagger-ui-2.4.0.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.
Publish Date: 2019-10-10
URL: CVE-2019-17495
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17495
Release Date: 2019-10-10
Fix Resolution: 3.23.11
Step up your Open Source Security Game with WhiteSource here
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.