Cyber Resilience

CVE-2024-22207

Medium

Published: 15 January 2024

Published
15 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.1436 94.6th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-22207 is a medium-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Smartbear Swagger Ui. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

fastify-swagger-ui is a Fastify plugin that serves Swagger UI documentation. Prior to version 2.1.0, the component's default configuration without an explicit baseDir option registers HTTP routes that expose every file located inside the installed module directory, enabling unauthenticated retrieval of those files over the network. The issue is tracked as CWE-1188 and carries a CVSS 3.1 score of 5.3.

An attacker with network access can send ordinary HTTP requests to the routes created by the plugin and read any file present in the module tree. Because the exposure occurs under the plugin's own route prefix and does not require authentication or user interaction, the flaw permits low-effort local file disclosure limited to the contents of the fastify-swagger-ui package directory.

The GitHub Security Advisory GHSA-62jr-84gf-wmg4 and the accompanying commit 13d799a2c5f14d3dd5b15892e03bbcbae63ee6f7 state that the vulnerability is resolved in release 2.1.0. The advisory also notes that explicitly setting the baseDir configuration option prevents the unintended file exposure even on earlier versions. A NetApp advisory (NTAP-20240216-0002) references the same upstream fix for affected products.

EPSS scores have remained in the 0.14–0.16 range with no material post-disclosure increase.

EU & UK References

Vulnerability details

fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability…

more

is fixed in v2.1.0. Setting the `baseDir` option can also work around this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

smartbear
swagger ui
2.0.0 — 2.1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-1188

Requires documented secure initialization practices and avoidance of insecure defaults in configuration baselines.

addresses: CWE-1188

Reviewing and updating baseline when components are installed or upgraded prevents initialization with insecure defaults.

addresses: CWE-1188

Requiring explicit configuration to minimal functionality overrides insecure defaults that would otherwise enable excess capabilities.

addresses: CWE-1188

Tailoring replaces or augments insecure default initializations with system-specific values and compensating controls before deployment.

addresses: CWE-1188

Central configuration overrides or replaces insecure default initializations that would otherwise be left unchanged on each system.

addresses: CWE-1188

SCRM practices during acquisition and configuration management address insecure default initializations shipped by vendors.

addresses: CWE-1188

Scans detect resources initialized with insecure defaults that create exploitable conditions.

addresses: CWE-1188

Instruction on secure initialization of security controls prevents leaving resources with insecure defaults after installation.

References