Plattform
other
Komponente
openapi-generator
Behoben in
7.6.1
CVE-2024-35219 describes an arbitrary file access vulnerability discovered in OpenAPI Generator, a tool for generating API client libraries, server stubs, and documentation. This flaw allows attackers to read and delete files within writable directories by manipulating the outputFolder option during SDK generation. Versions of OpenAPI Generator prior to 7.6.0 are affected, and a fix has been released in version 7.6.0.
The impact of this vulnerability is significant. An attacker who can successfully exploit CVE-2024-35219 can gain unauthorized access to sensitive files and directories on the server hosting OpenAPI Generator. This could lead to data breaches, system compromise, and potentially even remote code execution if the attacker can leverage the file access to modify or execute malicious code. The ability to delete files also poses a serious risk, potentially disrupting services or causing data loss. The ease of exploitation, stemming from the outputFolder option, increases the likelihood of widespread attacks.
CVE-2024-35219 was publicly disclosed on May 27, 2024. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the ease of exploitation and the potential impact, it is reasonable to expect that attackers will actively seek to exploit this vulnerability, particularly in environments where OpenAPI Generator is exposed to untrusted input.
Organizations and developers utilizing OpenAPI Generator for API generation, particularly those using versions prior to 7.6.0, are at risk. This includes teams relying on automated API client generation pipelines and those who have configured OpenAPI Generator to write output to user-controlled directories.
disclosure
Exploit-Status
EPSS
52.28% (98% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-35219 is to upgrade to OpenAPI Generator version 7.6.0 or later. This version removes the vulnerable outputFolder option, effectively closing the path traversal vulnerability. As there are no known workarounds, upgrading is the only viable solution. After upgrading, verify the fix by attempting to generate an SDK with a crafted outputFolder parameter; the generation should fail with an appropriate error message indicating the option is no longer supported.
Actualice OpenAPI Generator a la versión 7.6.0 o superior. Esta versión corrige la vulnerabilidad de path traversal al eliminar la opción `outputFolder`. No hay workarounds disponibles, por lo que la actualización es la única solución.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-35219 is a HIGH severity vulnerability in OpenAPI Generator versions ≤ 7.6.0 that allows attackers to read and delete files by manipulating the outputFolder option.
Yes, if you are using OpenAPI Generator version 7.6.0 or earlier, you are affected by this vulnerability.
Upgrade to OpenAPI Generator version 7.6.0 or later to remediate the vulnerability. No workarounds are available.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants prompt remediation.
Refer to the OpenAPI Generator project's official channels and security advisories for the latest information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.