CVE-2018-25031 — Spoofing attack in swagger-ui

Description

Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.

How to fix CVE-2018-25031

To remediate CVE-2018-25031, upgrade the affected package to a fixed version below.

Maven/org.webjars:swagger-ui—upgrade to 4.1.3 or later
—upgrade to 4.1.3 or later

Is CVE-2018-25031 being exploited?

Likely — EPSS is 80.4%, placing CVE-2018-25031 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

from 0, < 4.1.3
from 0, < 4.1.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-25031
PATCHgithub.com/swagger-api/swagger-ui
WEBgithub.com/swagger-api/swagger-ui/issues/4872
WEBgithub.com/swagger-api/swagger-ui/pull/7697
WEB