http-swagger is an open source wrapper to automatically generate RESTful API documentation with Swagger 2.0. In versions of http-swagger…
GitHub_M·CWE-400·Published 2022-04-18
http-swagger is an open source wrapper to automatically generate RESTful API documentation with Swagger 2.0. In versions of http-swagger prior to 1.2.6 an attacker may perform a denial of service attack consisting of memory exhaustion on the host system. The cause of the memory exhaustion is down to improper handling of http methods. Users are advised to upgrade. Users unable to upgrade may to restrict the path prefix to the "GET" method as a workaround.
http-swagger is an open source wrapper to automatically generate RESTful API documentation with Swagger 2.0. In versions of http-swagger prior to 1.2.6 an attacker may perform a denial of service attack consisting of memory exhaustion on the host system. The cause of the memory exhaustion is down to improper handling of http methods. Users are advised to upgrade. Users unable to upgrade may to restrict the path prefix to the "GET" method as a workaround.
The httpSwagger package's HTTP handler provides WebDAV read/write access to an in-memory filesystem. An attacker can exploit this to cause memory exhaustion by uploading many files, XSS attacks by uploading malicious files, or other unexpected behaviors.
### Impact Allows an attacker to perform a DOS attack consisting of memory exhaustion on the host system. ### Patches Yes. Please upgrade to v1.2.6. ### Workarounds A workaround is to restrict the path prefix to the "GET" method. As shown below ``` func main() { r := mux.NewRouter() r.PathPrefix("/swagger/").Handler(httpSwagger.Handler( httpSwagger.URL("http://localhost:1323/swagger/doc.json"), //The url pointing to API definition httpSwagger.DeepLinking(true), httpSwagger.DocExpansion("none"), httpSwagger.DomID("#swagger-ui"), )).Methods(http.MethodGet) ``` ### References Reporter dongguangli from https://www.huoxian.cn/ company ### For more information If you have any questions or comments about this advisory: * Open an issue in [http-swagger](https://github.com/swaggo/http-swagger/issues)
http-swagger es un wrapper de código abierto para generar automáticamente la documentación de la API RESTful con Swagger versión 2.0. En versiones de http-swagger anteriores a 1.2.6 un atacante puede llevar a cabo un ataque de denegación de servicio consistente en el agotamiento de la memoria del sistema anfitrión. La causa del agotamiento de la memoria es debido al manejo inapropiado de los métodos http. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizar pueden restringir el prefijo de la ruta al método "GET" como medida de mitigación
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 7.8 | 10.0 | 6.9 | AV:N/AC:L/Au:N/C:N/I:N/A:C |
| 3.1 | Primary | cve.org | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Primary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Primary | cve.org | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Secondary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Secondary | GHSA | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |