Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02MmpyLTg0Z2Ytd21nNM4AA4eS
Default swagger-ui configuration exposes all files in the module
Impact
The default configuration of @fastify/swagger-ui without baseDir set will lead to all files in the module's directory being exposed via http routes served by the module.
Patches
Update to v2.1.0
Workarounds
Use the baseDir option
References
Permalink: https://github.com/advisories/GHSA-62jr-84gf-wmg4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02MmpyLTg0Z2Ytd21nNM4AA4eS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 3 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-62jr-84gf-wmg4, CVE-2024-22207
References:
- https://github.com/fastify/fastify-swagger-ui/security/advisories/GHSA-62jr-84gf-wmg4
- https://nvd.nist.gov/vuln/detail/CVE-2024-22207
- https://github.com/fastify/fastify-swagger-ui/commit/13d799a2c5f14d3dd5b15892e03bbcbae63ee6f7
- https://security.netapp.com/advisory/ntap-20240216-0002
- https://github.com/advisories/GHSA-62jr-84gf-wmg4
Blast Radius: 15.2
Affected Packages
npm:@fastify/swagger-ui
Dependent packages: 85Dependent repositories: 739
Downloads: 633,509 last month
Affected Version Ranges: >= 2.0.0, < 2.1.0
Fixed in: 2.1.0
All affected versions: 2.0.0, 2.0.1
All unaffected versions: 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.2, 1.9.3, 1.10.0, 1.10.1, 1.10.2, 2.1.0, 3.0.0