GMS-2022-4691: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

September 30, 2022

An XSS vulnerability in the provided (outdated) Swagger-UI is exploitable in applications using lithium with Swagger-UI enabled. This allows an attacker gain Remote Code Execution (RCE) and potentially exfiltrate secrets in the context of this swagger session.

References

github.com/advisories/GHSA-f36p-42jv-8rh2
github.com/wireapp/lithium/commit/8b9b406d608fe482ec0e7adf8705834bca92d7df
github.com/wireapp/lithium/security/advisories/GHSA-f36p-42jv-8rh2

Detect and mitigate GMS-2022-4691 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →