CVE-2024-22207

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-22207

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-22207.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-22207

Aliases

GHSA-62jr-84gf-wmg4

Published

2024-01-15T15:40:35.252Z

Modified

2026-04-02T09:49:38.529367Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Default swagger-ui configuration exposes all files in the module

Details

fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of @fastify/swagger-ui without baseDir set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the baseDir option can also work around this vulnerability.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1188"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/22xxx/CVE-2024-22207.json"
}

References

Affected packages

Git / github.com/fastify/fastify-swagger-ui

Affected ranges

Type: GIT
Repo: https://github.com/fastify/fastify-swagger-ui
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7aaad5ae38fb21cd9c5eea73722d5981bdb2e848

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.1.0

v1.10.0

v1.10.1

v1.10.2

v1.2.0

v1.3.0

v1.4.0

v1.5.0

v1.6.0

v1.7.0

v1.8.0

v1.8.1

v1.9.0

v1.9.1

v1.9.2

v1.9.3

v2.*

v2.0.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-22207.json"

Git / github.com/swagger-api/swagger-ui

Affected ranges

Type

GIT

Repo

https://github.com/swagger-api/swagger-ui

Events

Introduced

9e25ec56c9adbead087a0e7768864d7960eb8b07

Fixed

1f73415d0899d1fad41988e4858dbe21a624f186

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.1.0"
        }
    ]
}

Affected versions

v2.*

v2.0.0

v2.0.1

v2.0.10

v2.0.11

v2.0.12

v2.0.14

v2.0.15

v2.0.16

v2.0.17

v2.0.18

v2.0.19

v2.0.2

v2.0.20

v2.0.21

v2.0.22

v2.0.24

v2.0.3

v2.0.4

v2.0.7

v2.0.8

v2.0.9

v2.1.0-M1

v2.1.0-M2

v2.1.0-alpha.1

v2.1.0-alpha.4

v2.1.0-alpha.5

v2.1.0-alpha.6

v2.1.1-M1

v2.1.1-M2

v2.1.2-M1

v2.1.2-M2

v2.1.3-M1

v2.1.3-M2

v2.1.4-M1

v2.1.4-M2

v2.1.5-M1

v2.1.5-M2

v2.1.6-M1

v2.1.7-M1

v2.1.8-M1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-22207.json"