Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2018-25031

Good to know:

icon
icon

Date: March 11, 2022

Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others. Converted from WS-2021-0461, on 2022-12-21.

Language: JS

Severity Score

Related Resources (8)

https://nvd.nist.gov/vuln/detail/CVE-2018-25031
https://security.netapp.com/advisory/ntap-20220407-0004/
https://github.com/swagger-api/swagger-ui/issues/4872
https://github.com/swagger-api/swagger-ui/pull/7697
https://github.com/swagger-api/swagger-ui/releases/tag/v4.1.3
https://github.com/swagger-api/swagger-ui
https://security.netapp.com/advisory/ntap-20220407-0004
https://www.mend.io/vulnerability-database/CVE-2018-25031

Severity Score

Weakness Type (CWE)

Improper Input Validation

CWE-20

Server-Side Request Forgery (SSRF)

CWE-918

Insecure Storage of Sensitive Information

CWE-922

Top Fix

icon

Upgrade Version

Upgrade to version swagger-ui - 4.1.3;swagger-ui - 4.1.3;org.webjars:swagger-ui:4.1.3

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us