GHSA-f36p-42jv-8rh2 – com.wire.bots:lithium

Package

Manager: maven
Name: com.wire.bots:lithium
Vulnerable Version: >=0 <3.4.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Lithium vulnerable to Cross Site Scripting in provided Swagger-UI ### Impact A XSS vulnerability in the provided (outdated) Swagger-UI is exploitable in applications using lithium with Swagger-UI enabled. This allows an attacker gain Remote Code Execution (RCE) and potentially exfiltrate secrets in the context of this swagger session. ### Patches The used swagger-ui was updated by switching to the latest version of dropwizard-swagger in 8b9b406d608fe482ec0e7adf8705834bca92d7df ### Workarounds The risk of injected external content can be reduced by setting up a [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy). ### References * https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/ ### Credits We thank [Mohit Kumar](https://www.linkedin.com/in/mohit-kumar-4ab6b3bb) for reporting this vulnerability!

Metadata

Created: 2022-09-30T04:53:37Z
Modified: 2022-10-05T22:00:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-f36p-42jv-8rh2/GHSA-f36p-42jv-8rh2.json
CWE IDs: ["CWE-79"]
Alternative ID: N/A
Finding: F008
Auto approve: 1