GHSA-g3hr-p86p-593h

Suggest an improvement
Source
https://github.com/advisories/GHSA-g3hr-p86p-593h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-g3hr-p86p-593h/GHSA-g3hr-p86p-593h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g3hr-p86p-593h
Aliases
Published
2024-05-28T15:47:57Z
Modified
2024-05-28T16:32:40.398953Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H CVSS Calculator
Summary
OpenAPI Generator Online - Arbitrary File Read/Delete
Details

Impact

Attackers can exploit the vulnerability to read and delete files and folders from an arbitrary, writable directory as anyone can set the output folder when submitting the request via the outputFolder option.

Patches

The issue was fixed via https://github.com/OpenAPITools/openapi-generator/pull/18652 (included in v7.6.0 release) by removing the usage of the outputFolder option.

Workarounds

No workaround available.

References

No other reference available.

References

Affected packages

Maven / org.openapitools:openapi-generator-online

Package

Name
org.openapitools:openapi-generator-online
View open source insights on deps.dev
Purl
pkg:maven/org.openapitools/openapi-generator-online

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.6.0

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.2.0
3.2.1
3.2.2
3.2.3
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4

4.*

4.0.0-beta
4.0.0-beta2
4.0.0-beta3
4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0
4.2.1
4.2.2
4.2.3
4.3.0
4.3.1

5.*

5.0.0-beta
5.0.0-beta2
5.0.0-beta3
5.0.0
5.0.1
5.1.0
5.1.1
5.2.0
5.2.1
5.3.0
5.3.1
5.4.0

6.*

6.0.0-beta
6.0.0
6.0.1
6.1.0
6.2.0
6.2.1
6.3.0
6.4.0
6.5.0
6.6.0

7.*

7.0.0-beta
7.0.0
7.0.1
7.1.0
7.2.0
7.3.0
7.4.0
7.5.0