Headline
GHSA-g3hr-p86p-593h: OpenAPI Generator Online - Arbitrary File Read/Delete
Impact
Attackers can exploit the vulnerability to read and delete files and folders from an arbitrary, writable directory as anyone can set the output folder when submitting the request via the outputFolder option.
Patches
The issue was fixed via https://github.com/OpenAPITools/openapi-generator/pull/18652 (included in v7.6.0 release) by removing the usage of the outputFolder option.
Workarounds
No workaround available.
References
No other reference available.
Package
maven org.openapitools:openapi-generator-online (Maven)
Affected versions
< 7.6.0
Patched versions
7.6.0
Description
Impact
Attackers can exploit the vulnerability to read and delete files and folders from an arbitrary, writable directory as anyone can set the output folder when submitting the request via the outputFolder option.
Patches
The issue was fixed via OpenAPITools/openapi-generator#18652 (included in v7.6.0 release) by removing the usage of the outputFolder option.
Workarounds
No workaround available.
References
No other reference available.
References
- GHSA-g3hr-p86p-593h
- https://nvd.nist.gov/vuln/detail/CVE-2024-35219
- OpenAPITools/openapi-generator#18652
- OpenAPITools/openapi-generator@edbb021
wing328 published to OpenAPITools/openapi-generator
May 27, 2024
Published by the National Vulnerability Database
May 27, 2024
Published to the GitHub Advisory Database
May 28, 2024
Reviewed
May 28, 2024
Last updated
May 28, 2024