Vulnerability Description
Openapi generator is a java tool which allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. openapi-generator-online creates insecure temporary folders with File.createTempFile during the code generation process. The insecure temporary folders store the auto-generated files which can be read and appended to by any users on the system. The issue has been patched with `Files.createTempFile` and released in the v5.1.0 stable version.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openapi-Generator | Openapi Generator | < 5.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/OpenAPITools/openapi-generator/pull/8788PatchThird Party Advisory
- https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-23x4-ExploitThird Party Advisory
- https://github.com/OpenAPITools/openapi-generator/pull/8788PatchThird Party Advisory
- https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-23x4-ExploitThird Party Advisory
FAQ
What is CVE-2021-21428?
CVE-2021-21428 is a vulnerability with a CVSS score of 9.3 (CRITICAL). Openapi generator is a java tool which allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. openapi-generator-...
How severe is CVE-2021-21428?
CVE-2021-21428 has been rated CRITICAL with a CVSS base score of 9.3/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-21428?
Check the references section above for vendor advisories and patch information. Affected products include: Openapi-Generator Openapi Generator.