CVE-2023-38337: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

July 14, 2023 (updated July 27, 2023)

rswag before 2.10.1 allows remote attackers to read arbitrary JSON and YAML files via directory traversal, because rswag-api can expose a file that is not the OpenAPI (or Swagger) specification file of a project.

References

github.com/rswag/rswag/compare/2.9.0...2.10.1
github.com/rswag/rswag/issues/653
nvd.nist.gov/vuln/detail/CVE-2023-38337

Code Behaviors & Features

Detect and mitigate CVE-2023-38337 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →