5.3

CVE-2024-22207

Default swagger-ui configuration exposes all files in the module

fastify-swagger-ui is a Fastify plugin for serving Swagger UI.  Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module.  The vulnerability is fixed in v2.1.0. Setting the `baseDir` option can also work around this vulnerability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SmartbearSwagger Ui SwPlatformnode.js Version >= 2.0.0 < 2.1.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2% 0.782
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-1188 Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

https://github.com/fastify/fastify-swagger-ui/commit/13d799a2c5f14d3dd5b15892e03bbcbae63ee6f7
Patch
https://github.com/fastify/fastify-swagger-ui/security/advisories/GHSA-62jr-84gf-wmg4
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240216-0002/