CVE-2021-21428: Improper Privilege Management
Openapi generator is a java tool which allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. openapi-generator-online creates insecure temporary folders with File.createTempFile during the code generation process. The insecure temporary folders store the auto-generated files which can be read and appended to by any users on the system. The issue has been patched with Files.createTempFile and released in the v5.1.0 stable version.
References
- github.com/OpenAPITools/openapi-generator/blob/c6530519975341d7784a252132b2f0854f488901/modules/openapi-generator-online/src/main/java/org/openapitools/codegen/online/service/Generator.java
- github.com/OpenAPITools/openapi-generator/pull/8788
- github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-23x4-m842-fmwf
- github.com/advisories/GHSA-23x4-m842-fmwf
- github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j
- nvd.nist.gov/vuln/detail/CVE-2021-21428
Code Behaviors & Features
Detect and mitigate CVE-2021-21428 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →