fury-adapter-swagger@0.4.0 vulnerabilities

Swagger 2.0 parser for Fury.js

Direct Vulnerabilities

Known vulnerabilities in the fury-adapter-swagger package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Directory Traversal

fury-adapter-swagger is Swagger 2.0 parser for Fury.js. Fury is an SDK that helps loading and HTTP API description format (like swagger) and creates a uniformed format which is easy to work with. The swagger description document is a JSON or YAML file and per specification allows inclusion of other documents by reference. Fury takes this JSON file and outputs it as a JS object. This may allow any user and in particular a malicious user to edit the swagger document in an online editor and write and file into it's references, and in particular any file on the applications hosting server (e.g. /etc/passwrd). The document will try to include the contents of the referenced file during parsing and may expose confidential information like passwords, environment variables, DB Connection credentials, etc. Also, a possible Denial of service may occur due to /dev/zero consuming all available memory.

Thanks to Adam Kliment and Honza Javorek for finding and reporting this vulnerability to us.

How to fix Directory Traversal?

Upgrade fury-adapter-swagger to version 0.9.7 or higher.

>=0.2.0 <0.9.7 >=0.8.0 <0.9.0