swagger-parser is susceptible to arbitrary code execution attacks. It does not use a safe parsing method in both the readYamlTree()
and readYamlValue()
functions of swagger-parser, allowing malicious YAML files from untrusted remote sources to be parsed to the applications. All the online code generators and validators using this parser will be affected.
CPE | Name | Operator | Version |
---|---|---|---|
swagger-parser | le | 1.0.17 | |
swagger-parser | le | 1.0.30 | |
swagger-codegen (core library) | le | 2.2.2 |
github.com/swagger-api/swagger-parser/commit/4044ecfb80732b721ffa206388574cf08bf7d295
github.com/swagger-api/swagger-parser/pull/481
github.com/swagger-api/swagger-parser/releases/tag/v1.0.31
lgtm.com/blog/swagger_snakeyaml_CVE-2017-1000207_CVE-2017-1000208
lgtm.com/query/2023830455/project:24760076/lang:java/