#VU30727 Cross-site request forgery in Swagger UI - CVE-2019-17495


| Updated: 2020-07-17

Vulnerability identifier: #VU30727

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-17495

CWE-ID: CWE-352

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Swagger UI
Web applications / Other software

Vendor: SmartBear

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation
Update to version 3.23.11.

Vulnerable software versions

Swagger UI: 3.23.0 - 3.23.10

External links
https://github.com/swagger-api/swagger-ui/releases/tag/v3.23.11
https://github.com/tarantula-team/CSS-injection-in-Swagger-UI

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Concert Software
Cross-site request forgery in IBM Sterling B2B Integrator
Cross-site request forgery in IBM Sterling Partner Engagement Manager
Cross-site request forgery in IBM Cloud Pak for Integration
Multiple vulnerabilities in IBM Planning Analytics Workspace
Multiple vulnerabilities in Oracle Commerce Guided Search
Multiple vulnerabilities in Oracle Banking Digital Experience
Multiple vulnerabilities in Oracle Banking APIs
Multiple vulnerabilities in Oracle Utilities Framework
Multiple vulnerabilities in IBM Cloud Application Business Insights