cbcvebase.
CVE-2024-35219
published 2024-05-27

CVE-2024-35219: OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI…

PriorityP178high8.3CVSS 3.1
AVNACLPRLUINSUCLIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.59%
88.0th percentile
OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Prior to version 7.6.0, attackers can exploit a path traversal vulnerability to read and delete files and folders from an arbitrary, writable directory as anyone can set the output folder when submitting the request via the `outputFolder` option. The issue was fixed in version 7.6.0 by removing the usage of the `outputFolder` option. No known workarounds are available.

Affected

1 ranges
VendorProductVersion rangeFixed in
openapitoolsopenapi-generator< 7.6.07.6.0

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/gen/clients/csharp HTTP/1.1
urlGET /api/gen/download/{code} HTTP/1.1
urlhttps://raw.githubusercontent.com/OpenAPITools/openapi-generator/master/modules/openapi-generator/src/test/resources/2_0/petstore.yaml
  • Detect path traversal exploitation attempts via the `outputFolder` option in POST requests to /api/gen/clients/* endpoints. Look for sequences of `../` in the JSON body's `outputFolder` field.
  • Monitor subsequent GET requests to /api/gen/download/<code> after a suspicious POST to /api/gen/clients/* — this two-step flow is the exploitation pattern for arbitrary file read.
  • A successful exploit response to /api/gen/download/<code> will contain filesystem paths/filenames from the traversed directory (e.g., `pixmaps/debian-logo.png`), indicating arbitrary file read.
  • ·The vulnerability was fixed in version 7.6.0 by completely removing support for the `outputFolder` option. Affected versions are 7.5.0 and below.
  • ·No workarounds are available for affected versions; upgrade is the only remediation.
  • ·Red Hat assessed openapi-generator-online in OpenShift Serverless, Red Hat Fuse 7, and streams for Apache Kafka as Not Affected.
  • ·Exploitation requires the ability to submit requests to the generator service; environments with strict access controls reduce feasibility.

CVSS provenance

nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
vulncheck8.3HIGH
vendor_redhat8.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.