Unpatched remote code execution flaw exists in Swagger

History

2016-06-23

#1004 Unpatched remote code execution flaw exists in Swagger

An unexpected behavior in a relatively new and popular open source API framework called Swagger could lead to code execution, researchers at Rapid7 said.

The company today disclosed some details on the vulnerability, and released a Metasploit exploit module and a proposed patch written by researcher Scott Davis who found the flaw.

Details were privately disclosed on April 19 to the Swagger API team and then on May 9 to CERT, Rapid7 said. To date, Rapid7 Security Research Manager Tod Beardsley told Threatpost, there has been no response from Swagger’s maintainers. Rapid7 said it shared its patch with CERT on June 16 and today made its public disclosure.

All - 2016-06-23

#1007 Google launches Android programming course for absolute beginners

#1006 Apple’s official statement on why the iOS 10 kernel is not encrypted

#1005 WordPress security update patches two dozen flaws

#1004 Unpatched remote code execution flaw exists in Swagger

#1003 Let’s Encrypt celebrates big HTTPS milestone

#1002 Hackers would like to join your LinkedIn network - and you'd probably accept them

#1001 McAfee Labs: Threats Report (PDF)

#1000 ‘GODLESS’ mobile malware uses multiple exploits to root devices

#999 Firm pays $950,000 penalty for using WiFi signals to secretly track phone users

#998 Advantech patches WebAccess remote code execution flaws

#997 Ransomware a two-year nightmare in the making