CVE-2024-22207
Published: 15 January 2024
Summary
CVE-2024-22207 is a medium-severity Initialization of a Resource with an Insecure Default (CWE-1188) vulnerability in Smartbear Swagger Ui. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
fastify-swagger-ui is a Fastify plugin that serves Swagger UI documentation. Prior to version 2.1.0, the component's default configuration without an explicit baseDir option registers HTTP routes that expose every file located inside the installed module directory, enabling unauthenticated retrieval of those files over the network. The issue is tracked as CWE-1188 and carries a CVSS 3.1 score of 5.3.
An attacker with network access can send ordinary HTTP requests to the routes created by the plugin and read any file present in the module tree. Because the exposure occurs under the plugin's own route prefix and does not require authentication or user interaction, the flaw permits low-effort local file disclosure limited to the contents of the fastify-swagger-ui package directory.
The GitHub Security Advisory GHSA-62jr-84gf-wmg4 and the accompanying commit 13d799a2c5f14d3dd5b15892e03bbcbae63ee6f7 state that the vulnerability is resolved in release 2.1.0. The advisory also notes that explicitly setting the baseDir configuration option prevents the unintended file exposure even on earlier versions. A NetApp advisory (NTAP-20240216-0002) references the same upstream fix for affected products.
EPSS scores have remained in the 0.14–0.16 range with no material post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0266
Vulnerability details
fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability…
more
is fixed in v2.1.0. Setting the `baseDir` option can also work around this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires documented secure initialization practices and avoidance of insecure defaults in configuration baselines.
Reviewing and updating baseline when components are installed or upgraded prevents initialization with insecure defaults.
Requiring explicit configuration to minimal functionality overrides insecure defaults that would otherwise enable excess capabilities.
Tailoring replaces or augments insecure default initializations with system-specific values and compensating controls before deployment.
Central configuration overrides or replaces insecure default initializations that would otherwise be left unchanged on each system.
SCRM practices during acquisition and configuration management address insecure default initializations shipped by vendors.
Scans detect resources initialized with insecure defaults that create exploitable conditions.
Instruction on secure initialization of security controls prevents leaving resources with insecure defaults after installation.