7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
53.2%
Allows an attacker to perform a DOS attack consisting of memory exhaustion on the host system.
Yes. Please upgrade to v1.2.6.
A workaround is to restrict the path prefix to the “GET” method. As shown below
func main() {
r := mux.NewRouter()
r.PathPrefix("/swagger/").Handler(httpSwagger.Handler(
httpSwagger.URL("http://localhost:1323/swagger/doc.json"), //The url pointing to API definition
httpSwagger.DeepLinking(true),
httpSwagger.DocExpansion("none"),
httpSwagger.DomID("#swagger-ui"),
)).Methods(http.MethodGet)
Reporter dongguangli from https://www.huoxian.cn/ company
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
github.com/swaggo/http-swagger | lt | 1.2.6 |
cosmosofcyberspace.github.io/improper_http_method_leads_to_xss/poc.html
github.com/advisories/GHSA-xg75-q3q5-cqmv
github.com/swaggo/http-swagger/commit/b7d83e8fba85a7a51aa7e45e8244b4173f15049e
github.com/swaggo/http-swagger/pull/62
github.com/swaggo/http-swagger/releases/tag/v1.2.6
github.com/swaggo/http-swagger/security/advisories/GHSA-xg75-q3q5-cqmv
nvd.nist.gov/vuln/detail/CVE-2022-24863
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.002 Low
EPSS
Percentile
53.2%