rswag before 2.10.1 allows remote attackers to read arbitrary JSON and YAML files via directory traversal, because rswag-api can expose a file that is not the OpenAPI (or Swagger) specification file of a project.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| rswag_project | rswag | * |