CVE-2021-21428: Local Privilege Escalation in OpenAPI Generator Online
Platform
java
Component
org.openapitools:openapi-generator-online
Fixed in
5.1.1
5.1.0
CVE-2021-21428 is a local privilege escalation vulnerability discovered in OpenAPI Generator Online. This flaw allows a malicious user on a Unix-like system to exploit a race condition during temporary file creation, potentially gaining elevated privileges. The vulnerability affects versions of OpenAPI Generator Online up to 5.0.1, and a fix is available in version 5.1.0.
Detect this CVE in your project
Upload your pom.xml file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The core of this vulnerability lies in how OpenAPI Generator Online handles temporary file creation. The File.createTempFile method, used to generate temporary directories, is susceptible to a race condition on Unix-like systems. Because temporary directories are often shared across users, a malicious user can observe the creation of a temporary subdirectory and then race to complete its creation. This allows the attacker to append code to the output folder, which, when executed, can be attacker-controlled. The impact is local privilege escalation; an attacker gains the ability to execute code with the privileges of the process running OpenAPI Generator Online, potentially compromising the entire system. This is particularly concerning in shared hosting environments or systems where the OpenAPI Generator Online process runs with elevated privileges.
Exploitation Context
This vulnerability was publicly disclosed on May 11, 2021. While no active exploitation campaigns have been definitively linked to CVE-2021-21428, the CRITICAL severity and the relatively straightforward nature of the race condition suggest a potential for exploitation. No public proof-of-concept exploits are widely available, but the vulnerability's characteristics make it a likely candidate for future exploitation. It is not currently listed on CISA KEV.
Threat Intelligence
Exploit Status
EPSS
0.05% (16% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Local — attacker needs a local shell or interactive session on the system.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation is to upgrade to OpenAPI Generator Online version 5.1.0 or later, which addresses the race condition. If an immediate upgrade is not possible, consider implementing a workaround by restricting access to the temporary directory used by OpenAPI Generator Online. This can be achieved through file system permissions, limiting which users can read, write, or execute files within that directory. Monitoring the creation and modification of files in the temporary directory can also help detect potential exploitation attempts. While not a direct fix, implementing robust input validation and sanitization can reduce the risk of malicious code being injected into the generated files. After upgrading, confirm the fix by attempting to create a temporary file and verifying that the attacker cannot manipulate its contents.
How to fix
Update the version of OpenAPI Generator to 5.1.0 or higher. This version fixes the creation of temporary files in directories with insecure permissions, preventing potential security vulnerabilities.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2021-21428 — Local Privilege Escalation in OpenAPI Generator Online?
CVE-2021-21428 is a critical vulnerability in OpenAPI Generator Online versions up to 5.0.1 that allows a local attacker to exploit a race condition during temporary file creation, leading to local privilege escalation.
Am I affected by CVE-2021-21428 in OpenAPI Generator Online?
If you are running OpenAPI Generator Online version 5.0.1 or earlier, you are affected by this vulnerability. Upgrade to version 5.1.0 or later to mitigate the risk.
How do I fix CVE-2021-21428 in OpenAPI Generator Online?
The recommended fix is to upgrade to OpenAPI Generator Online version 5.1.0 or later. As a temporary workaround, restrict access to the temporary directory used by the application.
Is CVE-2021-21428 being actively exploited?
While no active exploitation campaigns have been definitively confirmed, the vulnerability's severity and ease of exploitation suggest a potential for future attacks.
Where can I find the official OpenAPI Generator Online advisory for CVE-2021-21428?
Refer to the official OpenAPI Generator Online project repository and associated security advisories for detailed information and updates: [https://github.com/openapitools/openapi-generator-online](https://github.com/openapitools/openapi-generator-online)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.