CVE-2024-35219

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-35219
OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Prior to version 7.6.0, attackers can exploit a path traversal vulnerability to read and delete files and folders from an arbitrary, writable directory as anyone can set the output folder when submitting the request via the `outputFolder` option. The issue was fixed in version 7.6.0 by removing the usage of the `outputFolder` option. No known workarounds are available.

8.3 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/OpenAPITools/openapi-generator/commit/edbb021aadae47dcfe690313ce5119faf77f800d
https://github.com/OpenAPITools/openapi-generator/pull/18652
https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-g3hr-p86p-593h
https://github.com/OpenAPITools/openapi-generator/commit/edbb021aadae47dcfe690313ce5119faf77f800d
https://github.com/OpenAPITools/openapi-generator/pull/18652
https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-g3hr-p86p-593h
Configurations

No configuration.

History

21 Nov 2024, 09:19

Type Values Removed Values Added
References () https://github.com/OpenAPITools/openapi-generator/commit/edbb021aadae47dcfe690313ce5119faf77f800d - () https://github.com/OpenAPITools/openapi-generator/commit/edbb021aadae47dcfe690313ce5119faf77f800d -
References () https://github.com/OpenAPITools/openapi-generator/pull/18652 - () https://github.com/OpenAPITools/openapi-generator/pull/18652 -
References () https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-g3hr-p86p-593h - () https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-g3hr-p86p-593h -

28 May 2024, 12:39

Type Values Removed Values Added
Summary
  • (es) OpenAPI Generator permite la generación de librerías de cliente API (generación de SDK), códigos auxiliares de servidor, documentación y configuración automáticamente dada una especificación OpenAPI. Antes de la versión 7.6.0, los atacantes podían aprovechar una vulnerabilidad de path traversal para leer y eliminar archivos y carpetas de un directorio grabable arbitrario, ya que cualquiera podía configurar la carpeta de salida al enviar la solicitud a través de la opción `outputFolder`. El problema se solucionó en la versión 7.6.0 eliminando el uso de la opción `outputFolder`. No hay workarounds disponibles.

27 May 2024, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-27 16:15

Updated : 2024-11-21 09:19

NVD link : CVE-2024-35219

Mitre link : CVE-2024-35219

CVE.ORG link : CVE-2024-35219

JSON object : View

Products Affected

No product.

CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024