CVE-2024-35219 Information

May 29, 2024 cve

Description

OpenAPI Generator allows generation of API client libraries (SDK generation) server stubs documentation and configuration automatically given an OpenAPI Spec. Prior to version 7.6.0 attackers can exploit a path traversal vulnerability to read and delete files and folders from an arbitrary writable directory as anyone can set the output folder when submitting the request via the outputFolder option. The issue was fixed in version 7.6.0 by removing the usage of the outputFolder option. No known workarounds are available.

Reference

https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-g3hr-p86p-593h https://github.com/OpenAPITools/openapi-generator/pull/18652 https://github.com/OpenAPITools/openapi-generator/commit/edbb021aadae47dcfe690313ce5119faf77f800d

Share on: