Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mMzZwLTQyanYtOHJoMs4AAvIj
Lithium vulnerable to Cross Site Scripting in provided Swagger-UI
Impact
A XSS vulnerability in the provided (outdated) Swagger-UI is exploitable in applications using lithium with Swagger-UI enabled.
This allows an attacker gain Remote Code Execution (RCE) and potentially exfiltrate secrets in the context of this swagger session.
Patches
The used swagger-ui was updated by switching to the latest version of dropwizard-swagger in 8b9b406d608fe482ec0e7adf8705834bca92d7df
Workarounds
The risk of injected external content can be reduced by setting up a Content-Security-Policy.
References
Credits
We thank Mohit Kumar for reporting this vulnerability!
Permalink: https://github.com/advisories/GHSA-f36p-42jv-8rh2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mMzZwLTQyanYtOHJoMs4AAvIj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: almost 2 years ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Identifiers: GHSA-f36p-42jv-8rh2
References:
- https://github.com/wireapp/lithium/security/advisories/GHSA-f36p-42jv-8rh2
- https://github.com/wireapp/lithium/commit/8b9b406d608fe482ec0e7adf8705834bca92d7df
- https://github.com/advisories/GHSA-f36p-42jv-8rh2
Blast Radius: 5.7
Affected Packages
maven:com.wire.bots:lithium
Affected Version Ranges: < 3.4.2No known fixed version
maven:com.wire:lithium
Dependent packages: 0Dependent repositories: 5
Downloads:
Affected Version Ranges: < 3.4.2
Fixed in: 3.4.2
All affected versions: 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.4.0, 3.4.1
All unaffected versions: 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.5.1, 3.5.2, 3.5.4, 3.5.5, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4