CVE-2019-17495 (Critical) detected in springfox-swagger-ui-2.4.0.jar

[mend-bolt-for-github]

CVE-2019-17495 - Critical Severity Vulnerability

Vulnerable Library - springfox-swagger-ui-2.4.0.jar

JSON API documentation for spring based applications

Library home page: https://github.com/springfox/springfox

Path to dependency file: /exec-api/pom.xml

Path to vulnerable library: /ository/io/springfox/springfox-swagger-ui/2.4.0/springfox-swagger-ui-2.4.0.jar,/ository/io/springfox/springfox-swagger-ui/2.4.0/springfox-swagger-ui-2.4.0.jar

Dependency Hierarchy:

• ❌ springfox-swagger-ui-2.4.0.jar (Vulnerable Library)

Found in HEAD commit: 7b16df0bfd847c502ac80c1464fe08140edf5d0d

Found in base branch: master

Vulnerability Details

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

Publish Date: 2019-10-10

URL: CVE-2019-17495

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/maven/io.springfox/springfox-swagger-ui/CVE-2019-17495.yml

Release Date: 2019-10-10

Fix Resolution: swagger-ui - 3.23.11, io.springfox:springfox-swagger-ui:2.10.0

---

Step up your Open Source Security Game with Mend here