GHSA-f36p-42jv-8rh2: Lithium vulnerable to Cross Site Scripting in provided Swagger-UI

Package

maven com.wire:lithium (Maven)

Affected versions

< 3.4.2

Patched versions

3.4.2

Description

Impact

A XSS vulnerability in the provided (outdated) Swagger-UI is exploitable in applications using lithium with Swagger-UI enabled.
This allows an attacker gain Remote Code Execution (RCE) and potentially exfiltrate secrets in the context of this swagger session.

Patches

The used swagger-ui was updated by switching to the latest version of dropwizard-swagger in 8b9b406d608fe482ec0e7adf8705834bca92d7df

Workarounds

The risk of injected external content can be reduced by setting up a Content-Security-Policy.

References

• https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/

Credits

We thank Mohit Kumar for reporting this vulnerability!

References

• GHSA-f36p-42jv-8rh2
• wireapp/lithium@8b9b406

comawill published the maintainer security advisory

Sep 27, 2022

Severity

High

8.1

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Weaknesses

CWE-79

CVE ID

No known CVE

GHSA ID

GHSA-f36p-42jv-8rh2

Source code

wireapp/lithium

Checking history

See something to contribute? Suggest improvements for this vulnerability.