GHSA-vc79-65pr-q82v

Suggest an improvement
Source
https://github.com/advisories/GHSA-vc79-65pr-q82v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-vc79-65pr-q82v/GHSA-vc79-65pr-q82v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vc79-65pr-q82v
Aliases
Published
2023-07-15T00:30:34Z
Modified
2024-02-16T08:14:13.686927Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
rswag vulnerable to arbitrary JSON and YAML file read via directory traversal
Details

rswag before 2.10.1 allows remote attackers to read arbitrary JSON and YAML files via directory traversal, because rswag-api can expose a file that is not the OpenAPI (or Swagger) specification file of a project.

Database specific 
{
    "nvd_published_at": "2023-07-14T22:15:09Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-17T10:44:29Z"
}
References

Affected packages

RubyGems / rswag

Package

Name
rswag
Purl
pkg:gem/rswag

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.10.1

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.1.0
1.2.0
1.2.1
1.3.0
1.4.0
1.5.0
1.5.1
1.5.2
1.6.0

2.*

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.1.0
2.1.1
2.2.0
2.3.0
2.3.1
2.3.2
2.3.3
2.4.0
2.5.0.rc1
2.5.0
2.5.1.rc1
2.5.1
2.6.0
2.7.0
2.8.0
2.9.0
2.10.0