CVE-2024-35219 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-35219

CVE-2024-35219

May 27, 2024

OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Prior to version 7.6.0, attackers can exploit a path traversal vulnerability to read and delete files and folders from an arbitrary, writable directory as anyone can set the output folder when submitting the request via the `outputFolder` option. The issue was fixed in version 7.6.0 by removing the usage of the `outputFolder` option. No known workarounds are available.

Additional Notes

The description of this vulnerability differs from MITRE.

Related Resources (5)

https://github.com/OpenAPITools/openapi-generator

https://nvd.nist.gov/vuln/detail/CVE-2024-35219

https://github.com/OpenAPITools/openapi-generator/pull/18652

https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-g3hr-p86p-593h

https://github.com/OpenAPITools/openapi-generator/commit/edbb021aadae47dcfe690313ce5119faf77f800d

Do you need more information?

CVSS v4

Base Score:

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

EPSS

Base Score:

55.21

Products

Solutions

Resources

Company

Compare

Developer Tools