Home > Vulnerability Database > CVE-2017-1000208

Mend.io Vulnerability Database

CVE-2017-1000208

Good to know:

Date: November 16, 2017

A vulnerability in Swagger-Parser's (version <= 1.0.30) yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen (<= 2.2.2) and can lead to arbitrary code being executed when these commands are used on a well-crafted yaml specification.

Language: Java

Severity Score

8.8

Related Resources (6)

Url: https://github.com/swagger-api/swagger-parser

Url: https://github.com/swagger-api/swagger-parser/releases/tag/v1.0.31

Url: https://nvd.nist.gov/vuln/detail/CVE-2017-1000208

Url: https://github.com/advisories/GHSA-q7pf-qr96-2vq5

Url: https://lgtm.com/blog/swagger_snakeyaml_CVE-2017-1000207_CVE-2017-1000208

Url: https://www.mend.io/vulnerability-database/CVE-2017-1000208

Severity Score

8.8

Weakness Type (CWE)

Code

CWE-17

Deserialization of Untrusted Data

CWE-502

Top Fix

Upgrade Version

Upgrade to version io.swagger:swagger-parser:1.0.31;io.swagger:swagger-codegen:2.2.2

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2017-1000208

Good to know:

Date: November 16, 2017

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?