CVE-2019-17495

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/swagger-api/swagger-ui/releases/tag/v3.23.11	Release Notes
https://github.com/tarantula-team/CSS-injection-in-Swagger-UI	Exploit Third Party Advisory
https://lists.apache.org/thread.html/r103579b01da2d0aa0f672b88f811224bbf8ef493aaad845895955e91%40%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/r3acb7e494cf1aab99b6784b7c5bbddfd0d4f8a484ab534c3a61ef9cf%40%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/r84b327f7a8b6b28857b906c07a66dd98e1d341191fa8d7816514ef96%40%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/r853ffeb915a400f899de78124d4e0d77a19379d2e11bf8f4e98c624f%40%3Ccommits.airflow.apache.org%3E
https://lists.apache.org/thread.html/ref70b940c4f69560d29d6ba792d6c82865e74de3dcad4c92d99b1f8f%40%3Ccommits.airflow.apache.org%3E
https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2020.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:oracle:banking_apis::::::::
	cpe:2.3:a:oracle:banking_apis:19.1:::::::*
	cpe:2.3:a:oracle:banking_apis:19.2:::::::*
	cpe:2.3:a:oracle:banking_apis:20.1:::::::*
	cpe:2.3:a:oracle:banking_apis:21.1:::::::*
	cpe:2.3:a:oracle:banking_digital_experience::::::::
	cpe:2.3:a:oracle:banking_digital_experience:19.1:::::::*
	cpe:2.3:a:oracle:banking_digital_experience:19.2:::::::*
	cpe:2.3:a:oracle:banking_digital_experience:20.1:::::::*
	cpe:2.3:a:oracle:banking_digital_experience:21.1:::::::*
	cpe:2.3:a:oracle:banking_platform::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:::::::*
	cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:::::::*

History

No history.

Information

Published : 2019-10-10 22:15

Updated : 2023-11-07 03:06

NVD link : CVE-2019-17495

Mitre link : CVE-2019-17495

CVE.ORG link : CVE-2019-17495

JSON object : View

Products Affected

oracle

banking_platform
utilities_framework
banking_apis
banking_digital_experience
primavera_gateway

smartbear

swagger_ui

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2019-17495", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-10-10T22:15:10.290", "references": [{"url": "https://github.com/swagger-api/swagger-ui/releases/tag/v3.23.11", "tags": ["Release Notes"], "source": "cve@mitre.org"}, {"url": "https://github.com/tarantula-team/CSS-injection-in-Swagger-UI", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.apache.org/thread.html/r103579b01da2d0aa0f672b88f811224bbf8ef493aaad845895955e91%40%3Ccommits.airflow.apache.org%3E", "source": "cve@mitre.org"}, {"url": "https://lists.apache.org/thread.html/r3acb7e494cf1aab99b6784b7c5bbddfd0d4f8a484ab534c3a61ef9cf%40%3Ccommits.airflow.apache.org%3E", "source": "cve@mitre.org"}, {"url": "https://lists.apache.org/thread.html/r84b327f7a8b6b28857b906c07a66dd98e1d341191fa8d7816514ef96%40%3Ccommits.airflow.apache.org%3E", "source": "cve@mitre.org"}, {"url": "https://lists.apache.org/thread.html/r853ffeb915a400f899de78124d4e0d77a19379d2e11bf8f4e98c624f%40%3Ccommits.airflow.apache.org%3E", "source": "cve@mitre.org"}, {"url": "https://lists.apache.org/thread.html/ref70b940c4f69560d29d6ba792d6c82865e74de3dcad4c92d99b1f8f%40%3Ccommits.airflow.apache.org%3E", "source": "cve@mitre.org"}, {"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "source": "cve@mitre.org"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2020.html", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n de Cascading Style Sheets (CSS) en Swagger UI versiones anteriores a la versi\u00f3n 3.23.11, permite a atacantes utilizar la t\u00e9cnica de sobrescritura de ruta relativa (RPO) para realizar una exfiltraci\u00f3n del valor de campo de entrada basada en CSS, como la exfiltraci\u00f3n de un valor de token CSRF. En otras palabras, este producto permite intencionalmente insertar datos JSON no confiables desde servidores remotos, pero no se sab\u00eda previamente que (style)@import dentro de los datos JSON era un m\u00e9todo de ataque funcional."}], "lastModified": "2023-11-07T03:06:18.463", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:smartbear:swagger_ui:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "57CBDCB1-31D5-4063-B9BF-51B6AEADF76A", "versionEndExcluding": "3.23.11"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6DF2D056-3118-4C31-BEDD-69F016898CBB", "versionEndIncluding": "18.3", "versionStartIncluding": "18.1"}, {"criteria": "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF34B11F-3DE1-4C22-8EB1-AEE5CE5E4172"}, {"criteria": "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86F03B63-F922-45CD-A7D1-326DB0042875"}, {"criteria": "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7CBFC93F-8B39-45A2-981C-59B187169BD4"}, {"criteria": "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0843465C-F940-4FFC-998D-9A2668B75EA0"}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "366A6277-5D74-44C8-94A9-8ADB5568B5FB", "versionEndIncluding": "18.3", "versionStartIncluding": "18.1"}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F7BDFC10-45A0-46D8-AB92-4A5E2C1C76ED"}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "18127694-109C-4E7E-AE79-0BA351849291"}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33F68878-BC19-4DB8-8A72-BD9FE3D0ACEC"}, {"criteria": "cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D6895A6-511A-4DC6-9F9B-58E05B86BDB1"}, {"criteria": "cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3625D477-1338-46CB-90B1-7291D617DC39", "versionEndIncluding": "2.10.0", "versionStartIncluding": "2.4.0"}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "06CF27F6-ADC1-480C-9D2E-2BD1E7330C32", "versionEndIncluding": "16.2.11", "versionStartIncluding": "16.2.0"}, {"criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C46E7006-37B5-4A23-8116-C54D683D32D1", "versionEndIncluding": "17.12.8", "versionStartIncluding": "17.12.0"}, {"criteria": "cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8DF02546-3F0D-4FDD-89B1-8A3FE43FB5BF"}, {"criteria": "cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F906F04-39E4-4BE4-8A73-9D058AAADB43"}, {"criteria": "cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7B393A82-476A-4270-A903-38ED4169E431"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}

9.8 /10