CVE-2024-45801: Mitigated by default & patches

20. September 2024

A security advisory has been published for the DOMPurify open-source library used by an optional part (swagger-ui) of the "Spring Docs" framework for making API documentation available in DMC since version 2023.2.

Please note that "Spring Docs" is included in DMC, but disabled by default. Also, the vulnerability only affects the "Swagger" API-Testing frontend included in Spring Docs, which is neither an officially supported feature of DMC nor something users usually interact with.

Based on our understanding, a cross-site-scripting attack would only be possible if all the following conditions are met:

the DMC_ENABLE_OPENAPI flag is set to true
an attacker were able to introduce malicious content into the API-Testing frontend (which does not usually accept and store any user inputs)
a DMC user were to actually visit the unsupported API-Testing frontend

Affected Versions

Release 2023.2 before Patch 2023.2.7
Release 2024.1 before Patch 2024.1.4

Mitigation

The issue is already mitigated by the DMC default configuration.
If DMC_ENABLE_OPENAPI is currently set to true, it is recommended to switch it to false until a patch has been applied.

Patches

The Swagger API-Testing frontend has been removed, thereby eliminating the issue, in DMC 2023.2.7 and 2024.1.4.

All officially supported DMC functionality is unaffected by this change.

Affected Versions​

Mitigation​

Patches​

Affected Versions

Mitigation

Patches