temporalite-archived icon indicating copy to clipboard operation
temporalite-archived copied to clipboard

Published 20 hours ago verified publisher icon temporalio

github.com/temporalio/ui-server/v2-v2.8.3: 1 vulnerabilities (highest severity is: 4.3)

Open mend-for-github-com[bot] opened this issue 3 years ago • 0 comments

Vulnerable Library - github.com/temporalio/ui-server/v2-v2.8.3

Golang Server for https://github.com/temporalio/ui

Library home page: https://proxy.golang.org/github.com/temporalio/ui-server/v2/@v/v2.8.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Found in HEAD commit: fdc0165780ae650730a59957dc8b227794444190

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (github.com/temporalio/ui-server/v2-v2.8.3 version) Remediation Possible**
CVE-2018-25031 Medium 4.3 github.com/temporalio/ui-server/v2-v2.8.3 Direct swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2018-25031

Vulnerable Library - github.com/temporalio/ui-server/v2-v2.8.3

Golang Server for https://github.com/temporalio/ui

Library home page: https://proxy.golang.org/github.com/temporalio/ui-server/v2/@v/v2.8.3.zip

Path to dependency file: /go.mod

Path to vulnerable library: /go.mod

Dependency Hierarchy:

  • :x: github.com/temporalio/ui-server/v2-v2.8.3 (Vulnerable Library)

Found in HEAD commit: fdc0165780ae650730a59957dc8b227794444190

Found in base branch: main

Vulnerability Details

Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Mend Note: Converted from WS-2021-0461, on 2022-12-21.

Publish Date: 2022-03-11

URL: CVE-2018-25031

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-qrmm-w75w-3wpx

Release Date: 2022-03-11

Fix Resolution: swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] avatar Nov 10 '22 16:11 mend-for-github-com[bot]