Skip to content
This repository was archived by the owner on Apr 3, 2024. It is now read-only.
This repository was archived by the owner on Apr 3, 2024. It is now read-only.

github.com/temporalio/ui-server/v2-v2.8.3: 1 vulnerabilities (highest severity is: 4.3) #172

Description

@mend-for-github-com
Vulnerable Library - github.com/temporalio/ui-server/v2-v2.8.3

Golang Server for https://github.com/temporalio/ui

Library home page: https://proxy.golang.org/github.com/temporalio/ui-server/v2/@v/v2.8.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Found in HEAD commit: fdc0165780ae650730a59957dc8b227794444190

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (github.com/temporalio/ui-server/v2-v2.8.3 version) Remediation Possible**
CVE-2018-25031 Medium 4.3 github.com/temporalio/ui-server/v2-v2.8.3 Direct swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2018-25031

Vulnerable Library - github.com/temporalio/ui-server/v2-v2.8.3

Golang Server for https://github.com/temporalio/ui

Library home page: https://proxy.golang.org/github.com/temporalio/ui-server/v2/@v/v2.8.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/temporalio/ui-server/v2-v2.8.3 (Vulnerable Library)

Found in HEAD commit: fdc0165780ae650730a59957dc8b227794444190

Found in base branch: main

Vulnerability Details

Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
Mend Note: Converted from WS-2021-0461, on 2022-12-21.

Publish Date: 2022-03-11

URL: CVE-2018-25031

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qrmm-w75w-3wpx

Release Date: 2022-03-11

Fix Resolution: swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3

⛑️ Automatic Remediation will be attempted for this issue.


⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions