GHSA-9x4c-63pf-525f

Source

https://github.com/advisories/GHSA-9x4c-63pf-525f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-9x4c-63pf-525f/GHSA-9x4c-63pf-525f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9x4c-63pf-525f

Aliases

Related

CVE-2020-15142

Published

2020-08-20T14:38:24Z

Modified

2024-10-07T17:04:27.698172Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator

Summary

openapi-python-client Arbitrary Code Generation vulnerability

Details

Impact

Clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution.

Giving this a CVSS of 8.0 (high) with CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C .

Patches

Fix will be included in version 0.5.3

Workarounds

Inspect OpenAPI documents before generating, or inspect generated code before executing.

For more information

If you have any questions or comments about this advisory: * Open an issue in openapi-python-client * Email us at danthony@triaxtec.com

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-14T16:09:33Z"
}

References

Affected packages

PyPI / openapi-python-client

Package

Name: openapi-python-client; View open source insights on deps.dev
Purl: pkg:pypi/openapi-python-client

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.5.3

Affected versions

0.*

0.1.0.dev0

0.1.0

0.1.1

0.1.2

0.2.0

0.2.1

0.3.0

0.4.0rc1

0.4.0

0.4.1

0.4.2

0.5.0

0.5.1

0.5.2