CVE-2021-21430
published 2021-05-10CVE-2021-21430: OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI…
PriorityP428medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EPSS
0.40%
32.2th percentile
OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Using `File.createTempFile` in JDK will result in creating and using insecure temporary files that can leave application and system data vulnerable to attacks. Auto-generated code (Java, Scala) that deals with uploading or downloading binary data through API endpoints will create insecure temporary files during the process. Affected generators: `java` (jersey2, okhttp-gson (default library)), `scala-finch`. The issue has been patched with `Files.createTempFile` and released in the v5.1.0 stable version.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openapi-generator | openapi_generator | < 5.1.1 | 5.1.1 |
| openapitools | openapi-generator | < 5.1.0 | 5.1.0 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Creation of Temporary File in Directory with Insecure Permissions in auto-generated Java, Scala code
ghsa·2021-05-11
CVE-2021-21430 [MEDIUM] CWE-269 Creation of Temporary File in Directory with Insecure Permissions in auto-generated Java, Scala code
Creation of Temporary File in Directory with Insecure Permissions in auto-generated Java, Scala code
### Impact
**This vulnerability impacts generated code.** If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually!
On Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default `umask` settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions `-rw-r--r--` and `drwxr-xr-x` respectively, unless an API that explicitly sets safe file permissions is used.
This vulnerability exists due to the use of the JDK method `File.createTempFile`. This method cre
OSV
Creation of Temporary File in Directory with Insecure Permissions in auto-generated Java, Scala code
osv·2021-05-11
CVE-2021-21430 [MEDIUM] Creation of Temporary File in Directory with Insecure Permissions in auto-generated Java, Scala code
Creation of Temporary File in Directory with Insecure Permissions in auto-generated Java, Scala code
### Impact
**This vulnerability impacts generated code.** If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually!
On Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default `umask` settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions `-rw-r--r--` and `drwxr-xr-x` respectively, unless an API that explicitly sets safe file permissions is used.
This vulnerability exists due to the use of the JDK method `File.createTempFile`. This method cre
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/OpenAPITools/openapi-generator/pull/8787https://github.com/OpenAPITools/openapi-generator/pull/8791https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-cqxr-xf2w-943whttps://github.com/OpenAPITools/openapi-generator/pull/8787https://github.com/OpenAPITools/openapi-generator/pull/8791https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-cqxr-xf2w-943w
2021-05-10
Published