CVE-2018-25031

moderate-risk

Published 2022-03-11

Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.

Do I need to act?

80.4% chance of exploitation in next 30 days

EPSS score — higher than 20% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Swagger Ui

Affected Vendors

Smartbear

References (8)

Issue Tracking https://github.com/swagger-api/swagger-ui/issues/4872

Release Notes https://github.com/swagger-api/swagger-ui/releases/tag/v4.1.3

Third Party Advisory https://security.netapp.com/advisory/ntap-20220407-0004/

Patch https://security.snyk.io/vuln/SNYK-JS-SWAGGERUI-2314885

Issue Tracking https://github.com/swagger-api/swagger-ui/issues/4872

Release Notes https://github.com/swagger-api/swagger-ui/releases/tag/v4.1.3

Third Party Advisory https://security.netapp.com/advisory/ntap-20220407-0004/

Patch https://security.snyk.io/vuln/SNYK-JS-SWAGGERUI-2314885

/ 100

moderate-risk

Severity 18/34 · Moderate

Exploitability 20/34 · Moderate

Exposure 5/34 · Minimal