GHSA-xg75-q3q5-cqmv

Suggest an improvement
Source
https://github.com/advisories/GHSA-xg75-q3q5-cqmv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-xg75-q3q5-cqmv/GHSA-xg75-q3q5-cqmv.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-xg75-q3q5-cqmv
Aliases
Related
Published
2022-04-22T20:55:52Z
Modified
2024-03-04T18:35:26Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Denial of Service in http-swagger
Details

Impact

Allows an attacker to perform a DOS attack consisting of memory exhaustion on the host system.

Patches

Yes. Please upgrade to v1.2.6.

Workarounds

A workaround is to restrict the path prefix to the "GET" method. As shown below

func main() {
    r := mux.NewRouter()

    r.PathPrefix("/swagger/").Handler(httpSwagger.Handler(
        httpSwagger.URL("http://localhost:1323/swagger/doc.json"), //The url pointing to API definition
        httpSwagger.DeepLinking(true),
        httpSwagger.DocExpansion("none"),
        httpSwagger.DomID("#swagger-ui"),
    )).Methods(http.MethodGet)

References

Reporter dongguangli from https://www.huoxian.cn/ company

For more information

If you have any questions or comments about this advisory: * Open an issue in http-swagger

Database specific 
{
    "nvd_published_at": "2022-04-18T19:15:00Z",
    "cwe_ids": [
        "CWE-400",
        "CWE-755"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-22T20:55:52Z"
}
References

Affected packages

Go / github.com/swaggo/http-swagger

Package

Name
github.com/swaggo/http-swagger
View open source insights on deps.dev
Purl
pkg:golang/github.com/swaggo/http-swagger

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.6