{
  "schema_version": "1.4.0",
  "id": "GHSA-f36p-42jv-8rh2",
  "modified": "2022-10-05T22:00:04Z",
  "published": "2022-09-30T04:53:37Z",
  "aliases": [],
  "summary": "Lithium vulnerable to Cross Site Scripting in provided Swagger-UI",
  "details": "### Impact\nA  XSS vulnerability in the provided (outdated) Swagger-UI is exploitable in applications using lithium with Swagger-UI enabled.\nThis allows an attacker gain Remote Code Execution (RCE) and potentially exfiltrate secrets in the context of this swagger session.\n\n\n### Patches\nThe used swagger-ui was updated by switching to the latest version of dropwizard-swagger in 8b9b406d608fe482ec0e7adf8705834bca92d7df\n\n\n### Workarounds\nThe risk of injected external content can be reduced by setting up a [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).\n\n\n### References\n* https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/\n\n\n### Credits\nWe thank [Mohit Kumar](https://www.linkedin.com/in/mohit-kumar-4ab6b3bb) for reporting this vulnerability!\n",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.wire:lithium"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.2"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.wire.bots:lithium"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            }
          ]
        }
      ],
      "database_specific": {
        "last_known_affected_version_range": "< 3.4.2"
      }
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wireapp/lithium/security/advisories/GHSA-f36p-42jv-8rh2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wireapp/lithium/commit/8b9b406d608fe482ec0e7adf8705834bca92d7df"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wireapp/lithium"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-30T04:53:37Z",
    "nvd_published_at": null
  }
}