CVE-2023-5077: Phishing vulnerability in vault (Go)

What is CVE-2023-5077 About?

This vulnerability in SwaggerUI, particularly in versions prior to 4.1.3 (and pre-3.38.0 for XSS), involves the `?url` parameter which enables displaying remote OpenAPI definitions. This feature can be abused for phishing attacks by tricking users into interacting with a malicious API through a trusted domain. While not directly allowing XSS in newer versions, older versions (pre-3.38.0) combined with DOMPurify vulnerabilities could also create reflected XSS.

Affected Software

github.com/hashicorp/vault <1.13.0

Technical Details

SwaggerUI's ?url parameter is designed to load and render OpenAPI definitions from remote sources. The vulnerability, particularly for phishing, stems from the trusted context of the self-hosted SwaggerUI instance. An attacker can craft a malicious URL like https://example.com/api-docs?url=https://evildomain/fakeapi.yaml. If example.com is a trusted domain for the user, they might not suspect that @evildomain will serve a manipulated OpenAPI definition. This malicious definition can present fake API endpoints that, when used with the 'Try-it-out' feature, collect sensitive data entered by the user. The user's browser, believing it is interacting with the trusted example.com's interface, sends data to the attacker-controlled evildomain. In older versions (pre-3.38.0), a combination of this URL parameter functionality with a DOMPurify vulnerability (CVE-2020-26870) allowed for reflected XSS, where an attacker could inject and execute arbitrary client-side scripts.

What is the Impact of CVE-2023-5077?

Successful exploitation may allow attackers to conduct sophisticated phishing attacks by leveraging trusted domains to collect sensitive user data, or in older versions, to execute arbitrary client-side scripts (Reflected XSS), leading to session hijacking, defacement, or further client-side attacks.

What is the Exploitability of CVE-2023-5077?

Exploitation of the phishing vector of this vulnerability is moderately complex, primarily relying on social engineering. It requires the attacker to craft a convincing malicious URL and trick a user into clicking it. No direct authentication to SwaggerUI is needed by the attacker; rather, the attack leverages the victim's trust in the SwaggerUI host domain. Privilege requirements are minimal for the attacker, needing only the ability to host a malicious OpenAPI definition. This is a remote exploitation scenario. Special conditions involve the victim being unaware of the ?url parameter's implications and trusting the domain presenting the SwaggerUI instance. The likelihood of exploitation increases if users are accustomed to loading various OpenAPI definitions via URL or if the trusted domain is widely used. For the Reflected XSS variant (pre-3.38.0), it relies on the same URL manipulation but directly injects malicious script, bypassing content security policies due to the DOMPurify flaw. No special authentication is required for the reflected XSS to occur upon a user visiting the crafted URL. The primary constraints are user awareness and the specific SwaggerUI version in use.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2023-5077?

Available Upgrade Options

github.com/hashicorp/vault
- <1.13.0 → Upgrade to 1.13.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-5077?

Similar Vulnerabilities: CVE-2022-24706 , CVE-2021-38148 , CVE-2020-13936 , CVE-2019-15582 , CVE-2018-8779

CVE-2023-5077 Phishing vulnerability in vault (Go)