CVE-2019-17495
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.
Una vulnerabilidad de inyección de Cascading Style Sheets (CSS) en Swagger UI versiones anteriores a la versión 3.23.11, permite a atacantes utilizar la técnica de sobrescritura de ruta relativa (RPO) para realizar una exfiltración del valor de campo de entrada basada en CSS, como la exfiltración de un valor de token CSRF. En otras palabras, este producto permite intencionalmente insertar datos JSON no confiables desde servidores remotos, pero no se sabía previamente que (style)@import dentro de los datos JSON era un método de ataque funcional.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-09-15 First Exploit
- 2019-10-10 CVE Reserved
- 2019-10-10 CVE Published
- 2024-08-05 CVE Updated
- 2024-10-03 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (13)
URL | Date | SRC |
---|---|---|
https://github.com/ossf-cve-benchmark/CVE-2019-17495 | 2019-09-15 | |
https://github.com/SecT0uch/CVE-2019-17495-test | 2019-12-24 | |
https://github.com/tarantula-team/CSS-injection-in-Swagger-UI | 2024-08-05 |
URL | Date | SRC |
---|---|---|
https://www.oracle.com/security-alerts/cpuApr2021.html | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpujan2022.html | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpuoct2020.html | 2023-11-07 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Smartbear Search vendor "Smartbear" | Swagger Ui Search vendor "Smartbear" for product "Swagger Ui" | < 3.23.11 Search vendor "Smartbear" for product "Swagger Ui" and version " < 3.23.11" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Apis Search vendor "Oracle" for product "Banking Apis" | >= 18.1 <= 18.3 Search vendor "Oracle" for product "Banking Apis" and version " >= 18.1 <= 18.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Apis Search vendor "Oracle" for product "Banking Apis" | 19.1 Search vendor "Oracle" for product "Banking Apis" and version "19.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Apis Search vendor "Oracle" for product "Banking Apis" | 19.2 Search vendor "Oracle" for product "Banking Apis" and version "19.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Apis Search vendor "Oracle" for product "Banking Apis" | 20.1 Search vendor "Oracle" for product "Banking Apis" and version "20.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Apis Search vendor "Oracle" for product "Banking Apis" | 21.1 Search vendor "Oracle" for product "Banking Apis" and version "21.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | >= 18.1 <= 18.3 Search vendor "Oracle" for product "Banking Digital Experience" and version " >= 18.1 <= 18.3" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 19.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "19.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 19.2 Search vendor "Oracle" for product "Banking Digital Experience" and version "19.2" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 20.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "20.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 21.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "21.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Banking Platform Search vendor "Oracle" for product "Banking Platform" | >= 2.4.0 <= 2.10.0 Search vendor "Oracle" for product "Banking Platform" and version " >= 2.4.0 <= 2.10.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 16.2.0 <= 16.2.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 16.2.0 <= 16.2.11" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 17.12.0 <= 17.12.8 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.12.0 <= 17.12.8" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Utilities Framework Search vendor "Oracle" for product "Utilities Framework" | 4.3.0.6.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.3.0.6.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Utilities Framework Search vendor "Oracle" for product "Utilities Framework" | 4.4.0.0.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.0.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Utilities Framework Search vendor "Oracle" for product "Utilities Framework" | 4.4.0.2.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.2.0" | - |
Affected
|