CVE-2024-35219

Published: May 27, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

8.3

HIGH

Description

OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Prior to version 7.6.0, attackers can exploit a path traversal vulnerability to read and delete files and folders from an arbitrary, writable directory as anyone can set the output folder when submitting the request via the `outputFolder` option. The issue was fixed in version 7.6.0 by removing the usage of the `outputFolder` option. No known workarounds are available.

Vendor	Product	Versions
OpenAPITools	openapi-generator	affected `< 7.6.0`

Weaknesses (CWE)

CWE-22

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

High

References

https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-g3hr-p86p-593h

x_refsource_CONFIRM

https://github.com/OpenAPITools/openapi-generator/pull/18652

x_refsource_MISC

https://github.com/OpenAPITools/openapi-generator/commit/edbb021aadae47dcfe690313ce5119faf77f800d

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-35219

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References