CVE-2021-21428

Опубликовано: 10 мая 2021

Источник: nvd

CVSS3: 9.3

CVSS3: 7

CVSS2: 4.4

EPSS Низкий

Описание

Openapi generator is a java tool which allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. openapi-generator-online creates insecure temporary folders with File.createTempFile during the code generation process. The insecure temporary folders store the auto-generated files which can be read and appended to by any users on the system. The issue has been patched with Files.createTempFile and released in the v5.1.0 stable version.

Ссылки

https://github.com/OpenAPITools/openapi-generator/pull/8788
Patch
Third Party Advisory
https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-23x4-m842-fmwf
Exploit
Third Party Advisory
https://github.com/OpenAPITools/openapi-generator/pull/8788
Patch
Third Party Advisory
https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-23x4-m842-fmwf
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:openapi-generator:openapi_generator:*:*:*:*:*:*:*:*

Версия до 5.1.0 (исключая)

EPSS

Процентиль: 15%

0.0005

Низкий

9.3 Critical

CVSS3

7 High

CVSS3

4.4 Medium

CVSS2

Дефекты

CWE-269

CWE-668

Связанные уязвимости

GHSA-23x4-m842-fmwf

CVSS3: 9.3

github

около 4 лет назад

Creation of Temporary File in Directory with Insecure Permissions in the OpenAPI-Generator online generator

EPSS

Процентиль: 15%

0.0005

Низкий

9.3 Critical

CVSS3

7 High

CVSS3

4.4 Medium

CVSS2

Дефекты

CWE-269

CWE-668