How to Make API Security an Integral Part of Your Application Security Strategy

The farther your organization travels down the digital transformation path, the more critical API protection is to your overall security posture. Every day, your development teams are innovating; they rely more on microservices to save time and money as they automate business-to-business processe...

Server side request forgery in SwaggerUI

SwaggerUI supports displaying remote OpenAPI definitions through the ?url parameter. This enables robust demonstration capabilities on sites like petstore.swagger.io, editor.swagger.io, and similar sites, where users often want to see what their OpenAPI definitions would look like rendered...

GHSA-QRMM-W75W-3WPX Server side request forgery in SwaggerUI

SwaggerUI supports displaying remote OpenAPI definitions through the ?url parameter. This enables robust demonstration capabilities on sites like petstore.swagger.io, editor.swagger.io, and similar sites, where users often want to see what their OpenAPI definitions would look like rendered...

Swurg - Parse OpenAPI Documents Into Burp Suite For Automating OpenAPI-based APIs Security Assessments

Swurg is a Burp Suite extension designed for OpenAPI testing. The OpenAPI Specification OAS defines a standard, programming language-agnostic interface description for REST APIs, which allows both humans and computers to discover and understand the capabilities of a service without requiring acce...

Discovering Shadow APIs with Wallarm API firewall

Shadow APIs can be defined as active endpoints that you are not aware of. Some APIs are deployed but never documented. Others are services that don’t have an owner anymore. Some are even old v2 versions that have been deprecated for years, yet still exposed. Long story short: these APIs are not...

What is OpenAPI ❓ Concept, Examples and Advantages

What is OpenAPI? If there is anything that is growing anything like leaps and bounds then it’s API development and awareness towards API’s security. Whether it’s web API or mobile API, growth is significant in each domain. While we discuss API development, OpenAPI deserves a mention for sure. Thi...

GHSA-Q324-Q795-2Q5P Path traversal when using `preview-docs` when working dir contains files with question mark `?` in name

Impact preview-docs command allows path traversal if current working dir contains files with question mark ? in name and attacker knows the name. Patches It was patched starting from 1.0.0-beta.59 Workarounds Do not run openapi-cli preview-docs command in the folder which contains files with...

API8: Injection☝️ — What you need to know

API8: Injection☝️ — What you need to know Introduction API8:2019 Injection What is Injection? API’s with the following properties are open to injection flaws: When we don’t sanitize the input from the front-end we are opening ourselves to a world of problems, this would allow the user to input...

@apalchys/serverless-openapi-documentation (>=0.1.0 <=0.5.4), @conqa/serverless-openapi-documentation (>=1.0.1 <=1.0.4) +27 more potentially affected by CVE-2021-23396 via lutils (>=0.2.11 <=2.4.0)

lutils NPM version =0.2.11, =0.1.0, =1.0.1, =0.0.1, =0.1.0, =0.1.0, =0.1.0, =2.0.9, =0.3.0, =0.0.1, =0.1.9 and more Source cves: CVE-2021-23396 Source advisory: OSV:GHSA-3R8W-MPHV-2F3F...

@apalchys/serverless-openapi-documentation (>=0.1.0 <=0.5.4), @conqa/serverless-openapi-documentation (>=1.0.1 <=1.0.4) +27 more potentially affected by CVE-2021-23396 via lutils (>=0.2.11 <=2.4.0)

lutils NPM version =0.2.11, =0.1.0, =1.0.1, =0.0.1, =0.1.0, =0.1.0, =0.1.0, =2.0.9, =0.3.0, =0.0.1, =0.1.9 and more Source cves: CVE-2021-23396 Source advisory: SNYK:JS-LUTILS-1311023...

Fedora: Security Advisory for python-fastapi (FEDORA-2021-e7fabd81fb)

The remote host is missing an update for the Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 34 Update: python-fastapi-0.65.1-2.fc34

FastAPI is a modern, fast high-performance, web framework for building AP Is with Python 3.6+ based on standard Python type hints. The key features are: =EF=BF=BD=EF=BF=BD=EF=BF=BD Fast: Very high performance, on par with Node JS and Go thanks to Starlette and Pydantic. One of the fastest Python...

Insecure Temporary File And Folder

openapi-generator-online uses insecure temporary file and folder. The usage of Files.createTempFile to create temporary files and folders allows auto-generated files to be read and modified by any user on the system...

GHSA-CQXR-XF2W-943W Creation of Temporary File in Directory with Insecure Permissions in auto-generated Java, Scala code

Impact This vulnerability impacts generated code. If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually! On Unix-Like systems, the system temporary directory is shared between all local users. When...

app.keyconnect.api:keyconnect-api (=1.0.0), app.keyconnect:keyconnect-rippled-api (=1.0.0) +127 more potentially affected by CVE-2021-21430 via org.openapitools:openapi-generator (>=3.0.0 <=5.0.1)

org.openapitools:openapi-generator MAVEN version =3.0.0, =4.1, =4.1, =0.1.0.0, =0.1.0.0, =0.1.0.0, =0.4.0, =0.1.0.0, =0.1.3, =1.1, =0.4.0, =0.5.1, =0.4.0, =0.4.0, =0.5.3 and more Source cves: CVE-2021-21430 Source advisory: OSV:GHSA-CQXR-XF2W-943W...

Creation of Temporary File in Directory with Insecure Permissions in auto-generated Java, Scala code

Impact This vulnerability impacts generated code. If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually! On Unix-Like systems, the system temporary directory is shared between all local users. When...

Creation of Temporary File in Directory with Insecure Permissions in the OpenAPI-Generator online generator

Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This...

CVE-2021-21430

OpenAPI Generator allows generation of API client libraries SDK generation, server stubs, documentation and configuration automatically given an OpenAPI Spec. Using File.createTempFile in JDK will result in creating and using insecure temporary files that can leave application and system data...

CVE-2021-21430

OpenAPI Generator allows generation of API client libraries SDK generation, server stubs, documentation and configuration automatically given an OpenAPI Spec. Using File.createTempFile in JDK will result in creating and using insecure temporary files that can leave application and system data...

Design/Logic Flaw

OpenAPI Generator allows generation of API client libraries SDK generation, server stubs, documentation and configuration automatically given an OpenAPI Spec. Using File.createTempFile in JDK will result in creating and using insecure temporary files that can leave application and system data...