[MAVEN:GHSA-F36P-42JV-8RH2] Lithium vulnerable to Cross Site Scripting in provided Swagger-UI

Severity High

Affected Packages 2

Fixed Packages 1

Impact

A XSS vulnerability in the provided (outdated) Swagger-UI is exploitable in applications using lithium with Swagger-UI enabled.
This allows an attacker gain Remote Code Execution (RCE) and potentially exfiltrate secrets in the context of this swagger session.

Patches

The used swagger-ui was updated by switching to the latest version of dropwizard-swagger in 8b9b406d608fe482ec0e7adf8705834bca92d7df

Workarounds

The risk of injected external content can be reduced by setting up a Content-Security-Policy.

References

https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/

Credits

We thank Mohit Kumar for reporting this vulnerability!

Package	Affected Version
pkg:maven/com.wire/lithium	< 3.4.2
pkg:maven/com.wire.bots/lithium	< 3.4.2

Package	Fixed Version
pkg:maven/com.wire/lithium	= 3.4.2

ID: MAVEN:GHSA-F36P-42JV-8RH2
Severity: high
URL: https://github.com/advisories/GHSA-f36p-42jv-8rh2
Published: 2022-09-30T04:53:37
(23 months ago)
Modified: 2023-01-12T05:05:13
(20 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://github.com/wireapp/lithium/security/advisories/GHSA-f36p-42jv-8rh2
			https://github.com/wireapp/lithium/commit/8b9b406d608fe482ec0e7adf8705834bca92d7df
			https://github.com/advisories/GHSA-f36p-42jv-8rh2

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/com.wire/lithium	com.wire	lithium	< 3.4.2
Fixed	pkg:maven/com.wire/lithium	com.wire	lithium	= 3.4.2
Affected	pkg:maven/com.wire.bots/lithium	com.wire.bots	lithium	< 3.4.2