What is CVE-2019-17495?

CVE-2019-17495 is a Cascading Style Sheets (CSS) injection vulnerability in Swagger UI that could allow a remote attacker to obtain sensitive information.

What is the severity of CVE-2019-17495?

The severity of CVE-2019-17495 is critical with a severity value of 9.8.

Which versions of Swagger UI are affected by CVE-2019-17495?

Swagger UI versions before 3.23.11 are affected by CVE-2019-17495.

How can I fix CVE-2019-17495?

To fix CVE-2019-17495, upgrade Swagger UI to version 3.23.11 or later.

Vulnerability/
CVE-2019-17495

critical

9.8

CWE

352 79

10/10/2019

15/10/2019

19/11/2024

CVE-2019-17495: CSRF

Q: How does CVE-2019-17495 allow attackers to obtain sensitive information?

CVE-2019-17495 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value.

First published: Thu Oct 10 2019(Updated: )

A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
Smartbear Swagger Ui	<3.23.11
Oracle Banking Apis	>=18.1<=18.3
Oracle Banking Apis	=19.1
Oracle Banking Apis	=19.2
Oracle Banking Apis	=20.1
Oracle Banking Apis	=21.1
Oracle Banking Digital Experience	>=18.1<=18.3
Oracle Banking Digital Experience	=19.1
Oracle Banking Digital Experience	=19.2
Oracle Banking Digital Experience	=20.1
Oracle Banking Digital Experience	=21.1
Oracle Banking Platform	>=2.4.0<=2.10.0
Oracle Primavera Gateway	>=16.2.0<=16.2.11
Oracle Primavera Gateway	>=17.12.0<=17.12.8
Oracle Utilities Framework	=4.3.0.6.0
Oracle Utilities Framework	=4.4.0.0.0
Oracle Utilities Framework	=4.4.0.2.0
maven/io.springfox:springfox-swagger-ui	<2.10.0	2.10.0
maven/org.webjars.npm:swagger-ui	<3.23.11	3.23.11
maven/org.webjars:swagger-ui	<3.23.11	3.23.11
npm/swagger-ui	<3.23.11	3.23.11
IBM Concert Software	<=1.0.0, 1.0.1, 1.0.2, 1.0.2.1

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7176346

Frequently Asked Questions

What is CVE-2019-17495?
CVE-2019-17495 is a Cascading Style Sheets (CSS) injection vulnerability in Swagger UI that could allow a remote attacker to obtain sensitive information.
What is the severity of CVE-2019-17495?
The severity of CVE-2019-17495 is critical with a severity value of 9.8.
How does CVE-2019-17495 allow attackers to obtain sensitive information?
CVE-2019-17495 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value.
Which versions of Swagger UI are affected by CVE-2019-17495?
Swagger UI versions before 3.23.11 are affected by CVE-2019-17495.
How can I fix CVE-2019-17495?
To fix CVE-2019-17495, upgrade Swagger UI to version 3.23.11 or later.

agent/type
collector/nvd-index
agent/software-canonical-lookup-request
agent/remedy
agent/description
collector/mitre-cve
source/MITRE
agent/first-publish-date
collector/github-advisory-latest
source/GitHub
alias/GHSA-c427-hjc3-wrfw
alias/CVE-2019-17495
agent/software-canonical-lookup
agent/severity
agent/last-modified-date
agent/references
agent/weakness
agent/softwarecombine
agent/event
collector/nvd-cve
source/NVD
agent/author
collector/github-advisory
agent/tags
collector/ibm-support
source/IBM
vendor/smartbear
canonical/smartbear swagger ui
vendor/oracle
canonical/oracle banking apis
version/oracle banking apis/18.1
version/oracle banking apis/18.3
version/oracle banking apis/19.1
version/oracle banking apis/19.2
version/oracle banking apis/20.1
version/oracle banking apis/21.1
canonical/oracle banking digital experience
version/oracle banking digital experience/18.1
version/oracle banking digital experience/18.3
version/oracle banking digital experience/19.1
version/oracle banking digital experience/19.2
version/oracle banking digital experience/20.1
version/oracle banking digital experience/21.1
canonical/oracle banking platform
version/oracle banking platform/2.4.0
version/oracle banking platform/2.10.0
canonical/oracle primavera gateway
version/oracle primavera gateway/16.2.0
version/oracle primavera gateway/16.2.11
version/oracle primavera gateway/17.12.0
version/oracle primavera gateway/17.12.8
canonical/oracle utilities framework
version/oracle utilities framework/4.3.0.6.0
version/oracle utilities framework/4.4.0.0.0
version/oracle utilities framework/4.4.0.2.0
package-manager/maven
package-manager/npm
vendor/ibm
canonical/ibm concert software
version/ibm concert software/1.0.0, 1.0.1, 1.0.2, 1.0.2.1

CVE-2019-17495: CSRF

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Frequently Asked Questions

What is CVE-2019-17495?

What is the severity of CVE-2019-17495?

How does CVE-2019-17495 allow attackers to obtain sensitive information?

Which versions of Swagger UI are affected by CVE-2019-17495?

How can I fix CVE-2019-17495?

Company

Resources

Contact