CVE-2018-25031

Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.

Published: Mar 11, 2022
Updated: Jul 18, 2024
CVE: CVE-2018-25031
GHSA: GHSA-cr3q-pqgq-m8c2
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
smartbear / swagger_ui	-	4.1.3
swagger-ui	-	4.1.3

https://github.com/swagger-api/swagger-ui/issues/4872
https://github.com/swagger-api/swagger-ui/pull/7697
https://github.com/swagger-api/swagger-ui/releases/tag/v4.1.3
https://security.netapp.com/advisory/ntap-20220407-0004/
https://security.snyk.io/vuln/SNYK-JS-SWAGGERUI-2314885

Vulnerability Database

289,599

CVE-2018-25031