GHSA-f36p-42jv-8rh2: 
Java vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was identified in Lithium's provided Swagger-UI component, tracked as GHSA-f36p-42jv-8rh2. The vulnerability affects Lithium versions below 3.4.2 for both com.wire.bots:lithium and com.wire:lithium Maven packages. This security issue was discovered and reported by Mohit Kumar, published on September 27, 2022, and received a high severity rating with a CVSS score of 8.1 (GitHub Advisory).

The vulnerability is characterized by a CVSS v3.1 base score of 8.1 with the following metrics: Network attack vector, Low attack complexity, No privileges required, User interaction Required, Unchanged scope, High impact on both Confidentiality and Integrity, and No impact on Availability (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). The vulnerability specifically affects the outdated Swagger-UI component included in the Lithium package (GitHub Advisory).

The vulnerability enables attackers to potentially achieve Remote Code Execution (RCE) and exfiltrate secrets within the context of the Swagger session when Swagger-UI is enabled. This poses significant risks to the confidentiality and integrity of affected systems (GitHub Advisory).

The vulnerability has been patched by updating the Swagger-UI component through an upgrade to the latest version of dropwizard-swagger in commit 8b9b406. As a workaround, organizations can reduce the risk of injected external content by implementing a Content-Security-Policy. The fixed version is 3.4.2 for affected packages (GitHub Commit, GitHub Advisory).