Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2018-25031: add an `enableQueryConfig` option · Issue #4872 · swagger-api/swagger-ui

Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.

CVE
Open in Source
#xss#vulnerability#auth

Content & configuration

Swagger-UI configuration options:

SwaggerUI({ enableQueryConfig: false // new })

Is your feature request related to a problem?

We’ve observed that the ?url= parameter in SwaggerUI allows an attacker to override an otherwise hard-coded schema file. This opens the door to issues such as #3847 and #4789 which would otherwise be prevented by hard-coding the schema file URL.

The behavior appears to be a regression in the 3.x releases. It can easily be reproduced by passing in a URL to the SwaggerUIBundle constructor and then using the ?url parameter to override it, while observing the behavior in the Net panel of your browser’s developer tools. Note that CORS rules can prevent a test from succeeding, but do not prevent a real attack.

const ui = SwaggerUIBundle({
  ...
  url: 'some-hard-coded-path.yml'
});

Additionally, the URL parameter is dangerous in general because it allows an attacker to provide a similar schema file that instead sends authorization requests to a server under an attacker’s control, which makes it much easier to trick a user into leaking their login credentials. So the URL parameter should not be allowed in any setting where authentication or other sensitive information is used. I’d recommend disabling it by default and cautioning users against enabling it.

Describe the solution you’d like

for 3.x: Add an enableQueryParam or similar option. If omitted, default to false if a URL is passed into the constructor, otherwise default true.
for 4.x: Change the default when omitted to false.

Describe alternatives you’ve considered

Our workaround was to detect the URL parameter before initializing SwaggerUI and failing early if it was set.

Additional context

This is taken from a security report given to the Swagger team by Ken Winters, based on investigation done by Gaurav Shet and Ben Zulanch - all over at NetApp.

The decision was made to put this in the public issue tracker because (a) we aren’t going to immediately fix this, and (b) the attack surface for this is significantly diminished by our effective sanitization efforts to deter XSS attacks in documents used as input.

Related news

Swagger UI 4.1.3 Critical Information Misrepresentation

Swagger UI version 4.1.3 user interface misrepresentation of information proof of concept exploit.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE