ADVISORIES

• CVE-2023-38337 (NVD)
• GHSA-vc79-65pr-q82v
• Vendor Advisory

GEM

rswag

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

• >= 2.10.1

DESCRIPTION

rswag before 2.10.1 allows remote attackers to read arbitrary JSON and YAML files via directory traversal, because rswag-api can expose a file that is not the OpenAPI (or Swagger) specification file of a project.

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2023-38337
• https://github.com/rswag/rswag/issues/653
• https://github.com/rswag/rswag/compare/2.9.0...2.10.1
• https://github.com/advisories/GHSA-vc79-65pr-q82v