CVE-2024-22207

Medium

fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without…

GitHub_M·CWE-1188·Published 2024-01-15

CVSS

5.3

EPSS

0.02

KEV

Exploits

cve.orgen

362 chars

fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting the `baseDir` option can also work around this vulnerability.

NVDen

362 chars

OSV.deven

337 chars

### Impact The default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module. ### Patches Update to v2.1.0 ### Workarounds Use the `baseDir` option ### References [HackerOne report ](https://hackerone.com/reports/2312369).

GHSAen

337 chars

NVDes

432 chars

fastify-swagger-ui es un complemento de Fastify para servir la interfaz de usuario de Swagger. Antes de 2.1.0, la configuración predeterminada de `@fastify/swagger-ui` sin `baseDir` configurado hará que todos los archivos en el directorio del módulo queden expuestos a través de rutas http servidas por el módulo. La vulnerabilidad se solucionó en v2.1.0. Configurar la opción `baseDir` también puede solucionar esta vulnerabilidad.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	cve.org	5.3	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3.1	Primary	NVD	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3.1	Primary	cve.org	5.3	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3.1	Secondary	NVD	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3.1	Secondary	GHSA	5.3	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N