| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
| CVE-2024-22207 | 15 Jan 202417:27 | – | circl | |
| Swagger UI Security Vulnerability | 15 Jan 202400:00 | – | cnnvd | |
| CVE-2024-22207 | 15 Jan 202415:40 | – | cve | |
| CVE-2024-22207 Default swagger-ui configuration exposes all files in the module | 15 Jan 202415:40 | – | cvelist | |
| Default swagger-ui configuration exposes all files in the module | 16 Jan 202415:24 | – | github | |
| CVE-2024-22207 | 15 Jan 202416:15 | – | nvd | |
| CVE-2024-22207 Default swagger-ui configuration exposes all files in the module | 15 Jan 202415:40 | – | osv | |
| GHSA-62JR-84GF-WMG4 Default swagger-ui configuration exposes all files in the module | 16 Jan 202415:24 | – | osv | |
| Default configuration | 15 Jan 202416:15 | – | prion | |
| PT-2024-19275 · Unknown · @Fastify/Swagger-Ui | 15 Jan 202400:00 | – | ptsecurity |
id: CVE-2024-22207
info:
name: Fastify Swagger-UI - Information Disclosure
author: DhiyaneshDK,iamnoooob
severity: medium
description: |
fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the `baseDir` option can also work around this vulnerability.
impact: |
Unauthenticated attackers can access sensitive files in the Fastify Swagger-UI module directory, potentially exposing source code or configuration files.
remediation: |
Update @fastify/swagger-ui to version 2.1.0 or later, or configure the baseDir option.
reference:
- https://security.netapp.com/advisory/ntap-20240216-0002/
- https://nvd.nist.gov/vuln/detail/CVE-2024-22207
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2024-22207
cwe-id: CWE-1188
epss-score: 0.02001
epss-percentile: 0.78346
cpe: cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:node.js:*:*
metadata:
vendor: smartbear
product: swagger_ui
framework: node.js
shodan-query:
- http.component:"swagger"
- http.favicon.hash:"-1180440057"
fofa-query: icon_hash="-1180440057"
tags: cve,cve2024,swagger-ui,exposure,vuln
http:
- method: GET
path:
- "{{BaseURL}}/documentation/playwright.config.js"
matchers-condition: and
matchers:
- type: word
words:
- "module.exports"
- "defineConfig"
condition: and
- type: status
status:
- 200
# digest: 4a0a0047304502207e09b6b353a43792a39f8cbe603f920e96b042619c69b8933304c0588a466190022100b7fc276f486a8ef4b83606af81214e8ba1aa19a422a2ec6784c6216d755bd9fa:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation