CVE-2021-46708
Clickjacking vulnerability in swagger-ui-dist (npm)
What is CVE-2021-46708 About?
The 'swagger-ui-dist' package before 4.1.3 is vulnerable to Clickjacking, allowing a remote attacker to hijack user clicks. By persuading a victim to visit a malicious website, the attacker can redirect their click actions. This vulnerability is of moderate exploitation difficulty, as it requires social engineering.
Affected Software
Technical Details
The 'swagger-ui-dist' package, specifically versions prior to 4.1.3, is susceptible to Clickjacking. This vulnerability is typically exploited when a web application serving 'swagger-ui-dist' does not implement proper frame-busting techniques or the X-Frame-Options HTTP response header. An attacker can embed the vulnerable Swagger UI instance within an invisible iframe on a malicious webpage. By carefully overlaying deceptive content or elements (e.g., buttons, links) on top of interactive elements within the hidden Swagger UI, the attacker can trick a user into clicking through the overlay, inadvertently interacting with the Swagger UI beneath. This allows the attacker to hijack the victim's click actions, potentially leading to unintended API calls, data manipulation, or further attacks.
What is the Impact of CVE-2021-46708?
Successful exploitation may allow attackers to hijack a victim's click actions, leading to unintended interactions with the Swagger UI, potential data manipulation, or further attacks.
What is the Exploitability of CVE-2021-46708?
Exploitation of this vulnerability involves moderate complexity, primarily due to the social engineering aspect required to lure a victim to a malicious site. The attacker needs to craft a deceptive webpage that frames the vulnerable Swagger UI instance. No authentication is strictly required for the clickjacking itself, but authenticated sessions might be targeted if the Swagger UI provides sensitive actions. There are no special privilege requirements. This is a remote attack, as it targets the victim's browser. Special conditions include the 'swagger-ui-dist' instance being embeddable in an iframe (lack of X-Frame-Options header or similar protections) and the attacker's ability to host a malicious page to entice a victim. The likelihood increases if the Swagger UI is publicly accessible and performs sensitive operations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-46708?
About the Fix from Resolved Security
The patch adds a new explicit configuration option, queryConfigEnabled, defaulting to false, that controls whether URL query parameters can override configuration settings. This prevents attackers from modifying application behavior via URL search params by requiring explicit opt-in, thereby mitigating the vulnerability described in CVE-2021-46708.
Available Upgrade Options
- swagger-ui-dist
- <4.1.3 → Upgrade to 4.1.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-46708
- https://github.com/swagger-api/swagger-ui
- https://osv.dev/vulnerability/GHSA-6c9x-mj3g-h47x
- https://security.snyk.io/vuln/SNYK-JS-SWAGGERUIDIST-2314884
- https://security.netapp.com/advisory/ntap-20220407-0004
- https://www.npmjs.com/package/swagger-ui-dist/v/4.1.3
What are Similar Vulnerabilities to CVE-2021-46708?
Similar Vulnerabilities: CVE-2020-0062 , CVE-2017-5638 , CVE-2018-17182 , CVE-2021-3636 , CVE-2021-23340
