Vulnerability Database

309,614

Total vulnerabilities in the database

Lithium vulnerable to Cross Site Scripting in provided Swagger-UI

Impact

A XSS vulnerability in the provided (outdated) Swagger-UI is exploitable in applications using lithium with Swagger-UI enabled. This allows an attacker gain Remote Code Execution (RCE) and potentially exfiltrate secrets in the context of this swagger session.

Patches

The used swagger-ui was updated by switching to the latest version of dropwizard-swagger in 8b9b406d608fe482ec0e7adf8705834bca92d7df

Workarounds

The risk of injected external content can be reduced by setting up a Content-Security-Policy.

References

https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/

Credits

We thank Mohit Kumar for reporting this vulnerability!

Published: Sep 30, 2022
Updated: Apr 14, 2023
GHSA: GHSA-f36p-42jv-8rh2
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
com.wire / lithium	-	3.4.2
com.wire.bots / lithium	-	-

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo