Skip to content

swagger-ui-standalone-preset-3.19.3.js: 3 vulnerabilities (highest severity is: 9.8) #2

Description

@mend-for-github-com
Vulnerable Library - swagger-ui-standalone-preset-3.19.3.js

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.19.3/swagger-ui-standalone-preset.js

Found in HEAD commit: 74c673a06bd75b265cded5a04bc7fb11c78a5d8a

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (swagger-ui-standalone-preset version) Remediation Possible**
CVE-2019-17495 Critical 9.8 swagger-ui-standalone-preset-3.19.3.js Direct swagger-ui - 3.23.11, io.springfox:springfox-swagger-ui:2.10.0
WS-2019-0172 Medium 6.5 swagger-ui-standalone-preset-3.19.3.js Direct swagger-ui - 3.20.9,swagger-api/swagger-ui - v/3.18.0,swagger-ui - 3.20.9,kevupton/auto-swagger-ui - v0.0.1,swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/dompurify-3.0.8,zhaojunlike/think-swagger - 1.0.0,esandri/swagger-ui-big - v2.0.0,swagger-api/swagger-ui - dev-fix/xml-oneOf,swagger-api/swagger-ui - dev-issue-5148,dreamfactory/df-swagger-ui - 3.3.1,swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/babel/runtime-corejs3-7.22.3,westhack/think-swagger - no_fix,3.20.9,swagger-api/swagger-ui - 3.3.1,swagger-api/swagger-ui - dev-fix-null-value-parsing,dreamfactory/df-swagger-ui - 0.2.0,dreamfactory/df-swagger-ui - v1.0,swagger-api/swagger-ui - dev-facelift,esandri/swagger-ui-big - v3.0.0,swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/mocha-9.0.2,swagger-api/swagger-ui - v3.20.9,esandri/swagger-ui-big - no_fix,westhack/think-swagger - 1.0.0,kevupton/auto-swagger-ui - no_fix
CVE-2018-25031 Medium 4.3 swagger-ui-standalone-preset-3.19.3.js Direct swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-17495

Vulnerable Library - swagger-ui-standalone-preset-3.19.3.js

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.19.3/swagger-ui-standalone-preset.js

Dependency Hierarchy:

  • swagger-ui-standalone-preset-3.19.3.js (Vulnerable Library)

Found in HEAD commit: 74c673a06bd75b265cded5a04bc7fb11c78a5d8a

Found in base branch: AltoroJ-3.2

Vulnerability Details

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@⁠import within the JSON data was a functional attack method.

Publish Date: 2019-10-10

URL: CVE-2019-17495

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/maven/io.springfox/springfox-swagger-ui/CVE-2019-17495.yml

Release Date: 2019-10-10

Fix Resolution: swagger-ui - 3.23.11, io.springfox:springfox-swagger-ui:2.10.0

WS-2019-0172

Vulnerable Library - swagger-ui-standalone-preset-3.19.3.js

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.19.3/swagger-ui-standalone-preset.js

Dependency Hierarchy:

  • swagger-ui-standalone-preset-3.19.3.js (Vulnerable Library)

Found in HEAD commit: 74c673a06bd75b265cded5a04bc7fb11c78a5d8a

Found in base branch: AltoroJ-3.2

Vulnerability Details

swagger-ui before 3.20.9 fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript. that leads to Cross-Site Scripting

Publish Date: 2026-05-27

URL: WS-2019-0172

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.mend.io/vulnerability-database/WS-2019-0172

Release Date: 2026-05-14

Fix Resolution: swagger-ui - 3.20.9,swagger-api/swagger-ui - v/3.18.0,swagger-ui - 3.20.9,kevupton/auto-swagger-ui - v0.0.1,swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/dompurify-3.0.8,zhaojunlike/think-swagger - 1.0.0,esandri/swagger-ui-big - v2.0.0,swagger-api/swagger-ui - dev-fix/xml-oneOf,swagger-api/swagger-ui - dev-issue-5148,dreamfactory/df-swagger-ui - 3.3.1,swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/babel/runtime-corejs3-7.22.3,westhack/think-swagger - no_fix,3.20.9,swagger-api/swagger-ui - 3.3.1,swagger-api/swagger-ui - dev-fix-null-value-parsing,dreamfactory/df-swagger-ui - 0.2.0,dreamfactory/df-swagger-ui - v1.0,swagger-api/swagger-ui - dev-facelift,esandri/swagger-ui-big - v3.0.0,swagger-api/swagger-ui - dev-dependabot/npm_and_yarn/mocha-9.0.2,swagger-api/swagger-ui - v3.20.9,esandri/swagger-ui-big - no_fix,westhack/think-swagger - 1.0.0,kevupton/auto-swagger-ui - no_fix

CVE-2018-25031

Vulnerable Library - swagger-ui-standalone-preset-3.19.3.js

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://cdnjs.cloudflare.com/ajax/libs/swagger-ui/3.19.3/swagger-ui-standalone-preset.js

Dependency Hierarchy:

  • swagger-ui-standalone-preset-3.19.3.js (Vulnerable Library)

Found in HEAD commit: 74c673a06bd75b265cded5a04bc7fb11c78a5d8a

Found in base branch: AltoroJ-3.2

Vulnerability Details

Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.

Publish Date: 2022-03-11

URL: CVE-2018-25031

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qrmm-w75w-3wpx

Release Date: 2022-03-11

Fix Resolution: swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions