GHSA-q7pf-qr96-2vq5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q7pf-qr96-2vq5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-q7pf-qr96-2vq5/GHSA-q7pf-qr96-2vq5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q7pf-qr96-2vq5
- Aliases
- Published
- 2018-10-19T16:46:41Z
- Modified
- 2023-11-08T03:58:44.108818Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Deserialization of Untrusted Data in swagger-parser
- Details
-
A vulnerability in Swagger-Parser's (version <= 1.0.30) yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen (<= 2.2.2) and can lead to arbitrary code being executed when these commands are used on a well-crafted yaml specification.
- Database specific
{ "nvd_published_at": null, "severity": "HIGH", "cwe_ids": [ "CWE-502" ], "github_reviewed_at": "2020-06-16T21:51:22Z", "github_reviewed": true }- References
Affected packages
Maven / io.swagger:swagger-codegen
Package
- Name
- io.swagger:swagger-codegen
- View open source insights on deps.dev
- Purl
- pkg:maven/io.swagger/swagger-codegen
Maven / io.swagger:swagger-parser
Package
- Name
- io.swagger:swagger-parser
- View open source insights on deps.dev
- Purl
- pkg:maven/io.swagger/swagger-parser