GMS-2020-783: Cross-Site Scripting in swagger-ui

September 1, 2020 (updated September 23, 2021)

Affected versions of swagger-ui are vulnerable to cross-site scripting in both the consumes and produces parameters of the swagger JSON document for a given API.

Additionally, swagger-ui allows users to load arbitrary swagger JSON documents via the query string parameter url, allowing an attacker to exploit this attack against any user that the attacker can convince to visit a crafted link.

Proof of Concept

http://<USER_HOSTNAME>/swagger-ui/index.html?url=http://<MALICIOUS_HOSTNAME>/malicious-swagger-file.json

Recommendation

Update to version 2.2.1 or later.

References

github.com/advisories/GHSA-7f59-x49p-v8mq
github.com/swagger-api/swagger-ui/issues/1866
github.com/swagger-api/swagger-ui/pull/1867
nvd.nist.gov/vuln/detail/CVE-2016-1000226
www.npmjs.com/advisories/123

Detect and mitigate GMS-2020-783 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →