GHSA-2r7f-4h2c-5x73
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2r7f-4h2c-5x73
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-2r7f-4h2c-5x73/GHSA-2r7f-4h2c-5x73.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2r7f-4h2c-5x73
- Aliases
-
- CVE-2016-1000249
- Published
- 2020-09-01T16:38:33Z
- Modified
- 2023-11-08T03:58:08.519720Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- fury-adapter-swagger allows arbitrary file read from system
- Details
-
fury-adapter-swaggerfrom version 0.2.0 until version 0.9.7 has a weakness that allows an attacker to read arbitrary files off of the system. This can be used to read sensitive data, or to cause a denial of service condition by attempting to read something like/dev/zero.Proof of Concept:
--- swagger: '2.0' info: title: Read local files version: '1.0' paths: /foo: get: responses: 200: description: Some description examples: text/html: example: $ref: '/etc/passwd'Recommendation
Upgrade to version 0.9.7 or later.
- Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2020-08-31T18:18:37Z", "github_reviewed": true, "severity": "HIGH", "cwe_ids": [ "CWE-22" ] }- References
-
- https://github.com/apiaryio/fury-adapter-swagger/pull/89
- https://github.com/apiaryio/fury-adapter-swagger/commit/777e2d68f03546a88f3203bbd4725df8b1f662a7
- https://github.com/apiaryio/fury-adapter-swagger/commit/f4407e3a5323bc31123d45dbc93b8417002e4d51#diff-54c345dc104dc19440f9c2482b7883df820e8b9b699fdd8fa07e2773e7197a29
- https://github.com/apiaryio/fury-adapter-swagger
- https://security.snyk.io/vuln/npm:fury-adapter-swagger:20161024
- https://www.npmjs.com/advisories/305
Affected packages
npm / fury-adapter-swagger
Package
- Name
- fury-adapter-swagger
- View open source insights on deps.dev
- Purl
- pkg:npm/fury-adapter-swagger