Arbitrary Code Generation

2020-08-2014:38:24

Google

osv.dev

0.002 Low

EPSS

Percentile

54.0%

JSON

Impact

Clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution.

Giving this a CVSS of 8.0 (high) with CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C .

Patches

Fix will be included in version 0.5.3

Workarounds

Inspect OpenAPI documents before generating, or inspect generated code before executing.

For more information

If you have any questions or comments about this advisory:

Open an issue in openapi-python-client
Email us at [email protected]

CPENameOperatorVersion
openapi-python-clienteq0.1.0.dev0
openapi-python-clienteq0.5.2
openapi-python-clienteq0.1.2
openapi-python-clienteq0.2.0
openapi-python-clienteq0.4.0
openapi-python-clienteq0.4.2
openapi-python-clienteq0.5.1
openapi-python-clienteq0.4.0rc1
openapi-python-clienteq0.1.0
openapi-python-clienteq0.2.1

Name	Operator	Version
openapi-python-client	eq	0.1.0.dev0
openapi-python-client	eq	0.5.2
openapi-python-client	eq	0.1.2
openapi-python-client	eq	0.2.0
openapi-python-client	eq	0.4.0
openapi-python-client	eq	0.4.2
openapi-python-client	eq	0.5.1
openapi-python-client	eq	0.4.0rc1
openapi-python-client	eq	0.1.0
openapi-python-client	eq	0.2.1