Lucene search
Veracode Vulnerability DatabaseVERACODE:5432HistoryNov 15, 2017 - 6:57 a.m.
Arbitrary Code Execution
2017-11-1506:57:45
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
2
0.002 Low
EPSS
Percentile
53.0%
swagger-parser is susceptible to arbitrary code execution attacks. It does not use a safe parsing method in both the readYamlTree() and readYamlValue() functions of swagger-parser, allowing malicious YAML files from untrusted remote sources to be parsed to the applications. All the online code generators and validators using this parser will be affected.
| CPE | Name | Operator | Version |
|---|---|---|---|
| swagger-parser | le | 1.0.17 | |
| swagger-parser | le | 1.0.30 | |
| swagger-codegen (core library) | le | 2.2.2 |
References
github.com/swagger-api/swagger-parser/commit/4044ecfb80732b721ffa206388574cf08bf7d295
github.com/swagger-api/swagger-parser/pull/481
github.com/swagger-api/swagger-parser/releases/tag/v1.0.31
lgtm.com/blog/swagger_snakeyaml_CVE-2017-1000207_CVE-2017-1000208
lgtm.com/query/2023830455/project:24760076/lang:java/
Related
github
github
Deserialization of Untrusted Data in swagger-parser
2018-10-19 16:46:41
prion
prion
Design/Logic Flaw
2017-11-17 02:29:00
cvelist
cvelist
CVE-2017-1000208
2017-11-17 02:00:00
nvd
nvd
CVE-2017-1000208
2017-11-17 02:29:01
cve
cve
CVE-2017-1000208
2017-11-17 02:29:01
osv
osv
Deserialization of Untrusted Data in swagger-codegen
2018-10-19 16:46:30
Deserialization of Untrusted Data in swagger-parser
2018-10-19 16:46:41