Lucene search

Veracode Vulnerability DatabaseVERACODE:45062

HistoryJan 16, 2024 - 5:04 a.m.

Directory Traversal

2024-01-1605:04:53

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

fastify swagger ui

directory traversal

vulnerability

configuration issue

unauthorized access

file exposure

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

0.07

Percentile

94.1%

JSON

fastify-swagger-ui is vulnerable to Directory Traversal. The vulnerability is caused due to a default configuration issue in @fastify/swagger-ui .If the baseDir option is not set, the module exposes all files in its directory through the HTTP route it serves. This allows an attacker to gain unauthorized access to files outside the intended scope.

References

github.com/fastify/fastify-swagger-ui/commit/13d799a2c5f14d3dd5b15892e03bbcbae63ee6f7

github.com/fastify/fastify-swagger-ui/security/advisories/GHSA-62jr-84gf-wmg4

security.netapp.com/advisory/ntap-20240216-0002/

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.9

Confidence

High

EPSS

0.07

Percentile

94.1%

JSON

Related for VERACODE:45062