CVE-2024-22207
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of @fastify/swagger-ui without baseDir set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the baseDir option can also work around this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| fastify | fastify-swagger-ui | < 2.1.0 | affected |
Weaknesses
- CWE-1188: CWE-1188: Insecure Default Initialization of Resource
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/fastify/fastify-swagger-ui/security/advisories/GHSA-62jr-84gf-wmg4
- https://github.com/fastify/fastify-swagger-ui/commit/13d799a2c5f14d3dd5b15892e03bbcbae63ee6f7
- https://security.netapp.com/advisory/ntap-20240216-0002/
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/fastify/fastify-swagger-ui/security/advisories/GHSA-62jr-84gf-wmg4
- https://github.com/fastify/fastify-swagger-ui/commit/13d799a2c5f14d3dd5b15892e03bbcbae63ee6f7
- https://security.netapp.com/advisory/ntap-20240216-0002/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.