GHSA-62jr-84gf-wmg4

Опубликовано: 16 янв. 2024

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

Default swagger-ui configuration exposes all files in the module

Impact

The default configuration of @fastify/swagger-ui without baseDir set will lead to all files in the module's directory being exposed via http routes served by the module.

Patches

Update to v2.1.0

Workarounds

Use the baseDir option

References

HackerOne report .

Ссылки

Пакеты

Наименование

@fastify/swagger-ui

npm

Затронутые версииВерсия исправления

>= 2.0.0, < 2.1.0

2.1.0

EPSS

Процентиль: 95%

0.16258

Средний

5.3 Medium

CVSS3

CVE ID

CVE-2024-22207

Дефекты

CWE-1188

Связанные уязвимости

CVE-2024-22207

CVSS3: 5.3

nvd

около 2 лет назад

fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the `baseDir` option can also work around this vulnerability.

EPSS

Процентиль: 95%

0.16258

Средний

5.3 Medium

CVSS3

CVE ID

CVE-2024-22207

Дефекты

CWE-1188