Skip to content
This repository has been archived by the owner on Apr 3, 2024. It is now read-only.

github.com/temporalio/ui-server/v2-v2.8.3: 1 vulnerabilities (highest severity is: 4.3) #172

Open
mend-for-github.aaakk.us.kg bot opened this issue Nov 10, 2022 · 0 comments
Open

github.com/temporalio/ui-server/v2-v2.8.3: 1 vulnerabilities (highest severity is: 4.3) #172

mend-for-github.aaakk.us.kg bot opened this issue Nov 10, 2022 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github.aaakk.us.kg
Copy link

mend-for-github.aaakk.us.kg bot commented Nov 10, 2022
edited
Loading

Vulnerable Library - github.com/temporalio/ui-server/v2-v2.8.3

Golang Server for https://github.com/temporalio/ui

Library home page: https://proxy.golang.org/github.com/temporalio/ui-server/v2/@v/v2.8.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Found in HEAD commit: fdc0165780ae650730a59957dc8b227794444190

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (github.com/temporalio/ui-server/v2-v2.8.3 version) Remediation Possible**
CVE-2018-25031 Medium 4.3 github.com/temporalio/ui-server/v2-v2.8.3 Direct swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2018-25031

Vulnerable Library - github.com/temporalio/ui-server/v2-v2.8.3

Golang Server for https://github.com/temporalio/ui

Library home page: https://proxy.golang.org/github.com/temporalio/ui-server/v2/@v/v2.8.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • github.com/temporalio/ui-server/v2-v2.8.3 (Vulnerable Library)

Found in HEAD commit: fdc0165780ae650730a59957dc8b227794444190

Found in base branch: main

Vulnerability Details

Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
Mend Note: Converted from WS-2021-0461, on 2022-12-21.

Publish Date: 2022-03-11

URL: CVE-2018-25031

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qrmm-w75w-3wpx

Release Date: 2022-03-11

Fix Resolution: swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.
@mend-for-github.aaakk.us.kg mend-for-github.aaakk.us.kg bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Nov 10, 2022
@mend-for-github.aaakk.us.kg mend-for-github.aaakk.us.kg bot changed the title github.com/temporalio/ui-server/v2-v2.8.3: 2 vulnerabilities (highest severity is: 6.1) github.com/temporalio/ui-server/v2-v2.8.3: 1 vulnerabilities (highest severity is: 4.3) Jan 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants