Vulnerability Report: GO-2022-0427

CVE-2022-24863, CVE-2024-25712, and 2 more
Affects: github.com/swaggo/http-swagger
Published: Feb 29, 2024
Modified: May 20, 2024

The httpSwagger package's HTTP handler provides WebDAV read/write access to an in-memory filesystem. An attacker can exploit this to cause memory exhaustion by uploading many files, XSS attacks by uploading malicious files, or other unexpected behaviors.

Affected Packages

Path

Go Versions

Symbols
github.com/swaggo/http-swagger

before v1.2.6

all symbols

Aliases

CVE-2022-24863
CVE-2024-25712
GHSA-49w7-5r33-jm9m
GHSA-xg75-q3q5-cqmv

References

https://cosmosofcyberspace.github.io/improper_http_method_leads_to_xss/poc.html
https://github.com/swaggo/http-swagger/pull/62
https://github.com/swaggo/http-swagger/issues/61
https://vuln.go.dev/ID/GO-2022-0427.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL