U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Swagger UI
  • Search Type: Search All
  • CPE Name Search: false
There are 4 matching records.
Displaying matches 1 through 4.
Vuln ID Summary CVSS Severity
CVE-2024-22207

fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the `baseDir` option can also work around this vulnerability.

Published: January 15, 2024; 11:15:13 AM -0500
V4.0:(not available)
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2018-25031

Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.

Published: March 11, 2022; 2:15:07 AM -0500
V4.0:(not available)
V3.1: 4.3 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2021-39910

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature.

Published: December 13, 2021; 11:15:08 AM -0500
V4.0:(not available)
V3.1: 4.3 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2019-17495

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

Published: October 10, 2019; 6:15:10 PM -0400
V4.0:(not available)
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH