CVE-2024-35219

2024-05-2716:15:09

CWE-22

[email protected]

web.nvd.nist.gov

openapi generator

api client libraries

server stubs

path traversal vulnerability

outputfolder

version 7.6.0

nvd

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

6.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Prior to version 7.6.0, attackers can exploit a path traversal vulnerability to read and delete files and folders from an arbitrary, writable directory as anyone can set the output folder when submitting the request via the outputFolder option. The issue was fixed in version 7.6.0 by removing the usage of the outputFolder option. No known workarounds are available.

Affected configurations

Vulners

Node

openapitoolsopenapi_generatorRange<7.6.0

CNA Affected

[
  {
    "vendor": "OpenAPITools",
    "product": "openapi-generator",
    "versions": [
      {
        "version": "< 7.6.0",
        "status": "affected"
      }
    ]
  }
]