From 3098ea147f0fbe8b00def9228dd9d5d851b105ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Bajto=C5=A1?= Date: Tue, 26 Nov 2019 10:06:04 +0100 Subject: [PATCH] docs: describe GitHub advisory CVE-2019-17495 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Explain why this vulnerability is not affecting LoopBack users. Signed-off-by: Miroslav Bajtoš --- README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/README.md b/README.md index 79d4d16..d96f943 100644 --- a/README.md +++ b/README.md @@ -90,6 +90,26 @@ Link: https://www.npmjs.com/advisories/976 LoopBack 3 API Explorer does not support OAuth auth flow, that means loopback-component-explorer **IS NOT AFFECTED** by this vulnerability. +### GitHub advisory CVE-2019-17495 + +Link: https://github.com/advisories/GHSA-c427-hjc3-wrfw +> A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before +> 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique +> to perform CSS-based input field value exfiltration, such as exfiltration of +> a CSRF token value. + +Quoting from the +[disclosure](https://github.com/tarantula-team/CSS-injection-in-Swagger-UI/tree/15edeaaa5806aa8e83ee55d883f956a3c3573ac9): + +> We’ve observed that the `?url=` parameter in SwaggerUI allows an attacker to +> override an otherwise hard-coded schema file. We realize that Swagger UI +> allows users to embed untrusted Json format from remote servers This means we +> can inject json content via the GET parameter to victim Swagger UI. etc. + +LoopBack 3 API Explorer does not suport `?url=` parameter, it always loads the +Swagger spec file from the LoopBack server serving the Explorer UI. That means +loopback-component-explorer **IS NOT AFFECTED** by this vulnerability. + ## Upgrading from v1.x To upgrade your application using loopback-explorer version 1.x, just replace