Platform
other
Component
openapi-generator
Fixed in
7.6.1
CVE-2024-35219 describes an Arbitrary File Access vulnerability within OpenAPI Generator, a tool for generating API client libraries, server stubs, and documentation. This flaw allows attackers to read and delete files from arbitrary, writable directories by manipulating the outputFolder option. The vulnerability impacts versions of OpenAPI Generator prior to 7.6.0, and a fix has been released in version 7.6.0.
The primary impact of CVE-2024-35219 is the potential for unauthorized file access and modification. An attacker exploiting this vulnerability could read sensitive configuration files, source code, or other critical data stored within writable directories accessible to the OpenAPI Generator process. Furthermore, the ability to delete files could lead to denial of service or data corruption, disrupting API generation workflows and potentially impacting dependent systems. The ease of exploitation, stemming from the exposed outputFolder parameter, increases the risk of widespread exploitation.
This vulnerability was publicly disclosed on May 27, 2024. As of this writing, there are no known public proof-of-concept exploits available. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the potential for significant data exposure, it is prudent to prioritize remediation.
Exploit Status
EPSS
52.28% (98% percentile)
CISA SSVC
CVSS Vector
The definitive mitigation for CVE-2024-35219 is to upgrade to OpenAPI Generator version 7.6.0 or later. This version removes the vulnerable outputFolder option, effectively eliminating the attack vector. Since no workarounds are available, upgrading is the only viable solution. After upgrading, verify the fix by attempting to generate an API client with a crafted outputFolder parameter; the request should be rejected, and an error message indicating the option is no longer supported should be displayed.
Actualice OpenAPI Generator a la versión 7.6.0 o superior. Esta versión corrige la vulnerabilidad de path traversal al eliminar la opción `outputFolder`. No hay workarounds disponibles, por lo que la actualización es la única solución.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-35219 is a HIGH severity vulnerability in OpenAPI Generator versions ≤ 7.6.0 that allows attackers to read and delete files by manipulating the outputFolder option.
Yes, if you are using OpenAPI Generator version 7.6.0 or earlier, you are affected by this vulnerability.
Upgrade to OpenAPI Generator version 7.6.0 or later to remediate the vulnerability. No workarounds are available.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants prompt remediation.
Refer to the OpenAPI Generator project's official channels and security advisories for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.