Plattform
java
Komponente
org.openapitools:openapi-generator-online
Behoben in
5.1.1
5.1.0
CVE-2021-21428 is a local privilege escalation vulnerability discovered in OpenAPI Generator Online. This flaw allows a malicious user on a Unix-like system to exploit a race condition during temporary file creation, potentially gaining elevated privileges. The vulnerability affects versions of OpenAPI Generator Online up to 5.0.1, and a fix is available in version 5.1.0.
The impact of CVE-2021-21428 is significant due to its potential for local privilege escalation. An attacker who can execute code on the system can leverage this vulnerability to create temporary files within a shared temporary directory. By racing to complete the creation of these temporary subdirectories, the attacker can append malicious code to the output folder. When this code is subsequently executed, the attacker gains control, effectively escalating their privileges. This could allow them to access sensitive data, modify system configurations, or even gain complete control of the affected system. The shared nature of temporary directories on Unix-like systems amplifies the risk, as multiple users could be affected by a single exploit.
CVE-2021-21428 was publicly disclosed on May 11, 2021. While no active exploitation campaigns have been definitively linked to this CVE, the CRITICAL severity and the potential for local privilege escalation warrant immediate attention. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, increasing the likelihood of exploitation if the vulnerability remains unpatched.
Systems running OpenAPI Generator Online version 5.0.1 or earlier are at risk. This includes development environments, CI/CD pipelines that utilize OpenAPI Generator Online, and shared hosting environments where multiple users share the same temporary directory. Organizations using OpenAPI Generator Online to automatically generate API client code are particularly vulnerable.
• linux / server:
find /tmp -type f -mmin -5 -print0 | xargs -0 ls -l | grep -i 'openapi-generator'• linux / server:
journalctl -f | grep "createTempFile"• linux / server:
lsof /tmp | grep openapi-generatordisclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2021-21428 is to upgrade to OpenAPI Generator version 5.1.0 or later, which addresses the insecure temporary folder creation issue. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restricting access to the temporary directory and closely monitoring file creation within that directory can help detect and prevent malicious activity. Additionally, consider implementing a Web Application Firewall (WAF) or proxy to filter potentially malicious requests targeting the generator. Verification after upgrade can be performed by attempting to create a temporary file and verifying that the permissions are properly restricted and that the file cannot be manipulated by a non-privileged user.
Aktualisieren Sie die Version von OpenAPI Generator auf 5.1.0 oder höher. Diese Version behebt die Erstellung von temporären Dateien in Verzeichnissen mit unsicheren Berechtigungen und vermeidet so mögliche Sicherheitslücken.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-21428 is a critical vulnerability in OpenAPI Generator Online versions up to 5.0.1 that allows a local attacker to exploit a race condition during temporary file creation, leading to local privilege escalation.
If you are running OpenAPI Generator Online version 5.0.1 or earlier, you are affected by this vulnerability. Upgrade to version 5.1.0 or later to mitigate the risk.
The recommended fix is to upgrade to OpenAPI Generator Online version 5.1.0 or later. As a temporary workaround, restrict access to the temporary directory used by the application.
While no active exploitation campaigns have been definitively confirmed, the vulnerability's severity and ease of exploitation suggest a potential for future attacks.
Refer to the official OpenAPI Generator Online project repository and associated security advisories for detailed information and updates: [https://github.com/openapitools/openapi-generator-online](https://github.com/openapitools/openapi-generator-online)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.