cvelistv5 - cve-2021-21363

CVE-2021-21363 (GCVE-0-2021-21363)

Vulnerability from cvelistv5 – Published: 2021-03-11 03:05 – Updated: 2024-08-03 18:09

Summary

swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. In swagger-codegen before version 2.4.19, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled. For more details refer to the referenced GitHub Security Advisory. This vulnerability is fixed in version 2.4.19. Note this is a distinct vulnerability from CVE-2021-21364.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N

CWE

CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions
CWE-378 - Creation of Temporary File With Insecure Permissions

Assigner

GitHub_M

References

URL

Tags

	https://github.com/swagger-api/swagger-codegen/se…	x_refsource_CONFIRM
	https://github.com/swagger-api/swagger-codegen/co…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	swagger-api	swagger-codegen	Affected: < 2.4.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:09:16.080Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "swagger-codegen",
          "vendor": "swagger-api",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.4.19"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. In swagger-codegen before version 2.4.19, on Unix like systems, the system\u0027s temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled. For more details refer to the referenced GitHub Security Advisory. This vulnerability is fixed in version 2.4.19. Note this is a distinct vulnerability from CVE-2021-21364."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-379",
              "description": "CWE-379 Creation of Temporary File in Directory with Incorrect Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-378",
              "description": "CWE-378: Creation of Temporary File With Insecure Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-03-11T03:05:23",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89"
        }
      ],
      "source": {
        "advisory": "GHSA-pc22-3g76-gm6j",
        "discovery": "UNKNOWN"
      },
      "title": "Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21363",
          "STATE": "PUBLIC",
          "TITLE": "Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "swagger-codegen",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 2.4.19"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "swagger-api"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. In swagger-codegen before version 2.4.19, on Unix like systems, the system\u0027s temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled. For more details refer to the referenced GitHub Security Advisory. This vulnerability is fixed in version 2.4.19. Note this is a distinct vulnerability from CVE-2021-21364."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-379 Creation of Temporary File in Directory with Incorrect Permissions"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-378: Creation of Temporary File With Insecure Permissions"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j",
              "refsource": "CONFIRM",
              "url": "https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j"
            },
            {
              "name": "https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89",
              "refsource": "MISC",
              "url": "https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-pc22-3g76-gm6j",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-21363",
    "datePublished": "2021-03-11T03:05:23",
    "dateReserved": "2020-12-22T00:00:00",
    "dateUpdated": "2024-08-03T18:09:16.080Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:smartbear:swagger-codegen:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.4.19\", \"matchCriteriaId\": \"28D1596B-24DA-4372-B7C9-585ECDBA8C30\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. In swagger-codegen before version 2.4.19, on Unix like systems, the system\u0027s temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled. For more details refer to the referenced GitHub Security Advisory. This vulnerability is fixed in version 2.4.19. Note this is a distinct vulnerability from CVE-2021-21364.\"}, {\"lang\": \"es\", \"value\": \"swagger-codegen es un proyecto de c\\u00f3digo abierto que contiene un motor basado en plantillas para generar documentaci\\u00f3n, clientes API y stubs de servidor en diferentes idiomas mediante el an\\u00e1lisis de su definici\\u00f3n de OpenAPI/Swagger.\u0026#xa0;En swagger-codegen versiones anteriores a 2.4.19, en sistemas similares a Unix, el directorio temporal del sistema se comparte entre todos los usuarios de ese sistema.\u0026#xa0;Un usuario ubicado puede observar el proceso de creaci\\u00f3n de un subdirectorio temporal en el directorio temporal compartido y una corrida para completar la creaci\\u00f3n del subdirectorio temporal.\u0026#xa0;Esta vulnerabilidad es una escalada de privilegios local porque un atacante puede agregar el contenido de \\\"outputFolder\\\".\u0026#xa0;Como tal, el c\\u00f3digo escrito en este directorio, cuando se ejecuta, puede ser controlado por el atacante.\u0026#xa0;Para mayor detalles, consulte el GitHub Security Advisory al que se hace referencia.\u0026#xa0;Esta vulnerabilidad es corregido en versi\\u00f3n 2.4.19\"}]",
      "id": "CVE-2021-21363",
      "lastModified": "2024-11-21T05:48:12.120",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 0.8, \"impactScore\": 4.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.0, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.0, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 4.4, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 3.4, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-03-11T03:15:11.977",
      "references": "[{\"url\": \"https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-378\"}, {\"lang\": \"en\", \"value\": \"CWE-379\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-21363\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-03-11T03:15:11.977\",\"lastModified\":\"2024-11-21T05:48:12.120\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. In swagger-codegen before version 2.4.19, on Unix like systems, the system\u0027s temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled. For more details refer to the referenced GitHub Security Advisory. This vulnerability is fixed in version 2.4.19. Note this is a distinct vulnerability from CVE-2021-21364.\"},{\"lang\":\"es\",\"value\":\"swagger-codegen es un proyecto de c\u00f3digo abierto que contiene un motor basado en plantillas para generar documentaci\u00f3n, clientes API y stubs de servidor en diferentes idiomas mediante el an\u00e1lisis de su definici\u00f3n de OpenAPI/Swagger.\u0026#xa0;En swagger-codegen versiones anteriores a 2.4.19, en sistemas similares a Unix, el directorio temporal del sistema se comparte entre todos los usuarios de ese sistema.\u0026#xa0;Un usuario ubicado puede observar el proceso de creaci\u00f3n de un subdirectorio temporal en el directorio temporal compartido y una corrida para completar la creaci\u00f3n del subdirectorio temporal.\u0026#xa0;Esta vulnerabilidad es una escalada de privilegios local porque un atacante puede agregar el contenido de \\\"outputFolder\\\".\u0026#xa0;Como tal, el c\u00f3digo escrito en este directorio, cuando se ejecuta, puede ser controlado por el atacante.\u0026#xa0;Para mayor detalles, consulte el GitHub Security Advisory al que se hace referencia.\u0026#xa0;Esta vulnerabilidad es corregido en versi\u00f3n 2.4.19\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.8,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":4.4,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.4,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-378\"},{\"lang\":\"en\",\"value\":\"CWE-379\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:smartbear:swagger-codegen:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.4.19\",\"matchCriteriaId\":\"28D1596B-24DA-4372-B7C9-585ECDBA8C30\"}]}]}],\"references\":[{\"url\":\"https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}

FKIE_CVE-2021-21363

Vulnerability from fkie_nvd - Published: 2021-03-11 03:15 - Updated: 2024-11-21 05:48

Severity ?

5.3 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	smartbear	swagger-codegen	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:smartbear:swagger-codegen:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "28D1596B-24DA-4372-B7C9-585ECDBA8C30",
              "versionEndExcluding": "2.4.19",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. In swagger-codegen before version 2.4.19, on Unix like systems, the system\u0027s temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled. For more details refer to the referenced GitHub Security Advisory. This vulnerability is fixed in version 2.4.19. Note this is a distinct vulnerability from CVE-2021-21364."
    },
    {
      "lang": "es",
      "value": "swagger-codegen es un proyecto de c\u00f3digo abierto que contiene un motor basado en plantillas para generar documentaci\u00f3n, clientes API y stubs de servidor en diferentes idiomas mediante el an\u00e1lisis de su definici\u00f3n de OpenAPI/Swagger.\u0026#xa0;En swagger-codegen versiones anteriores a 2.4.19, en sistemas similares a Unix, el directorio temporal del sistema se comparte entre todos los usuarios de ese sistema.\u0026#xa0;Un usuario ubicado puede observar el proceso de creaci\u00f3n de un subdirectorio temporal en el directorio temporal compartido y una corrida para completar la creaci\u00f3n del subdirectorio temporal.\u0026#xa0;Esta vulnerabilidad es una escalada de privilegios local porque un atacante puede agregar el contenido de \"outputFolder\".\u0026#xa0;Como tal, el c\u00f3digo escrito en este directorio, cuando se ejecuta, puede ser controlado por el atacante.\u0026#xa0;Para mayor detalles, consulte el GitHub Security Advisory al que se hace referencia.\u0026#xa0;Esta vulnerabilidad es corregido en versi\u00f3n 2.4.19"
    }
  ],
  "id": "CVE-2021-21363",
  "lastModified": "2024-11-21T05:48:12.120",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.4,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-03-11T03:15:11.977",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-378"
        },
        {
          "lang": "en",
          "value": "CWE-379"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GSD-2021-21363

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-21363

Aliases

CVE-2021-21363

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-21363",
    "description": "swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. In swagger-codegen before version 2.4.19, on Unix like systems, the system\u0027s temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled. For more details refer to the referenced GitHub Security Advisory. This vulnerability is fixed in version 2.4.19. Note this is a distinct vulnerability from CVE-2021-21364.",
    "id": "GSD-2021-21363"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-21363"
      ],
      "details": "swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. In swagger-codegen before version 2.4.19, on Unix like systems, the system\u0027s temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled. For more details refer to the referenced GitHub Security Advisory. This vulnerability is fixed in version 2.4.19. Note this is a distinct vulnerability from CVE-2021-21364.",
      "id": "GSD-2021-21363",
      "modified": "2023-12-13T01:23:10.368282Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-21363",
        "STATE": "PUBLIC",
        "TITLE": "Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "swagger-codegen",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 2.4.19"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "swagger-api"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. In swagger-codegen before version 2.4.19, on Unix like systems, the system\u0027s temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled. For more details refer to the referenced GitHub Security Advisory. This vulnerability is fixed in version 2.4.19. Note this is a distinct vulnerability from CVE-2021-21364."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-379 Creation of Temporary File in Directory with Incorrect Permissions"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-378: Creation of Temporary File With Insecure Permissions"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j",
            "refsource": "CONFIRM",
            "url": "https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j"
          },
          {
            "name": "https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89",
            "refsource": "MISC",
            "url": "https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-pc22-3g76-gm6j",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,2.4.19)",
          "affected_versions": "All versions before 2.4.19",
          "cvss_v2": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-378",
            "CWE-379",
            "CWE-937"
          ],
          "date": "2021-03-18",
          "description": "swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition.",
          "fixed_versions": [
            "2.4.19"
          ],
          "identifier": "CVE-2021-21363",
          "identifiers": [
            "CVE-2021-21363",
            "GHSA-pc22-3g76-gm6j"
          ],
          "not_impacted": "All versions starting from 2.4.19",
          "package_slug": "maven/io.swagger/swagger-codegen-maven-plugin",
          "pubdate": "2021-03-11",
          "solution": "Upgrade to version 2.4.19 or above.",
          "title": "Creation of Temporary File With Insecure Permissions",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-21363"
          ],
          "uuid": "0c985bd1-1ca7-46de-9692-1a98982413aa"
        },
        {
          "affected_range": "(,2.4.19)",
          "affected_versions": "All versions before 2.4.19",
          "cvss_v2": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-378",
            "CWE-379",
            "CWE-78",
            "CWE-937"
          ],
          "date": "2021-03-22",
          "description": "swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. In swagger-codegen before version 2.4.19, on Unix like systems, the system\u0027s temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled. For more details refer to the referenced GitHub Security Advisory. This vulnerability is fixed in version 2.4.19. Note this is a distinct vulnerability from CVE-2021-21364.",
          "fixed_versions": [
            "2.4.19"
          ],
          "identifier": "CVE-2021-21363",
          "identifiers": [
            "GHSA-pc22-3g76-gm6j",
            "CVE-2021-21363"
          ],
          "not_impacted": "All versions starting from 2.4.19",
          "package_slug": "maven/io.swagger/swagger-codegen",
          "pubdate": "2021-03-11",
          "solution": "Upgrade to version 2.4.19 or above.",
          "title": "Creation of Temporary File in Directory with Insecure Permissions",
          "urls": [
            "https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-21363",
            "https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89",
            "https://github.com/advisories/GHSA-pc22-3g76-gm6j"
          ],
          "uuid": "32f760aa-3672-4ed2-861f-58fb99ef3120"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:smartbear:swagger-codegen:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.4.19",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21363"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. In swagger-codegen before version 2.4.19, on Unix like systems, the system\u0027s temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled. For more details refer to the referenced GitHub Security Advisory. This vulnerability is fixed in version 2.4.19. Note this is a distinct vulnerability from CVE-2021-21364."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-378"
                },
                {
                  "lang": "en",
                  "value": "CWE-379"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j"
            },
            {
              "name": "https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 3.4,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.0,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.0,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-03-18T16:11Z",
      "publishedDate": "2021-03-11T03:15Z"
    }
  }
}

GHSA-PC22-3G76-GM6J

Vulnerability from github – Published: 2021-03-11 03:09 – Updated: 2021-03-22 23:45

Summary

Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory

Details

Impact

On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory.

This vulnerability is local privilege escalation because the contents of the outputFolder can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.

Java Code

The method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.

https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185

Patches

Fix has been applied to the master branch with:

https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89

included in release: 2.4.19

References

For more information

If you have any questions or comments about this advisory:

Email us at security@swagger.io

Original vulnerability report

I'm performing OSS security research under the GitHub Security Lab Bug Bounty program. I've been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries.

https://github.com/github/codeql/pull/4388/files#diff-71d36c0f2bd0b08e32866f873f1c906cdc17277e0ad327c0c6cd2c882f30de4f

https://github.com/github/codeql/pull/4388/files#diff-1893a18a8bf43c011d61a7889d0139b998a5a78701a30fe7722eddd4c506aaac

https://github.com/github/codeql/pull/4473

The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users.

This vulnerability exists in the maven plugin.

This vulnerability is distinctly different. This vulnerability is most likely a local privilege escalation vulnerability.

https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185

This vulnerability is very similar to this similar vulnerability I disclosed in the Eclipse Jetty project.

https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6

This is due to a race condition between the call to delete and the call to mkdirs.

java // ensure file will always be unique by appending random digits File outputFolder = File.createTempFile("codegen-", "-tmp"); // Attacker knows the full path of the file that will be generated // delete the file that was created outputFolder.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Swagger Code Generator. // and make a directory of the same name // SECURITY VULNERABILITY: Race Condition! - Attacker beats Swagger Code Generator and now owns this directory outputFolder.mkdirs();

This vulnerability is local privilege escalation because the contents of the outputFolder can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.

The fix here is to switch to the Files API for creating temporary directories. Which does not contain this race condition, and appropriately sets the correct file permissions.

Severity ?

9.3 (Critical)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.swagger:swagger-codegen"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21363"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-378",
      "CWE-379"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-11T03:07:41Z",
    "nvd_published_at": "2021-03-11T03:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nOn Unix like systems, the system\u0027s temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. \n\nThis vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.\n\n#### Java Code\n\nThe method `File.createTempFile` from the JDK is vulnerable to this local information disclosure vulnerability.\n\nhttps://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185\n\n\n### Patches\n\nFix has been applied to the master branch with:\n\n* https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89\n\nincluded in release: 2.4.19\n\n\n### References\n\n* [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n* [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Email us at [security@swagger.io](mailto:security@swagger.io)\n\n#### Original vulnerability report\n\n\u003e I\u0027m performing OSS security research under the GitHub Security Lab Bug Bounty program.\n\u003e I\u0027ve been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries.\n\u003e \n\u003e - https://github.com/github/codeql/pull/4388/files#diff-71d36c0f2bd0b08e32866f873f1c906cdc17277e0ad327c0c6cd2c882f30de4f\n\u003e - https://github.com/github/codeql/pull/4388/files#diff-1893a18a8bf43c011d61a7889d0139b998a5a78701a30fe7722eddd4c506aaac\n\u003e - https://github.com/github/codeql/pull/4473\n\u003e \n\u003e The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users.\n\u003e \n\u003e ---\n\u003e \n\u003e This vulnerability exists in the maven plugin.\n\u003e \n\u003e This vulnerability is distinctly different. This vulnerability is most likely a local privilege escalation vulnerability.\n\u003e \n\u003e https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185\n\u003e \n\u003e This vulnerability is very similar to this similar vulnerability I disclosed in the Eclipse Jetty project.\n\u003e \n\u003e https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\n\u003e \n\u003e This is due to a race condition between the call to `delete` and the call to `mkdirs`.\n\u003e \n\u003e ```java\n\u003e // ensure file will always be unique by appending random digits\n\u003e File outputFolder = File.createTempFile(\"codegen-\", \"-tmp\"); // Attacker knows the full path of the file that will be generated\n\u003e // delete the file that was created\n\u003e outputFolder.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Swagger Code Generator.\n\u003e // and make a directory of the same name\n\u003e // SECURITY VULNERABILITY: Race Condition! - Attacker beats Swagger Code Generator and now owns this directory\n\u003e outputFolder.mkdirs();\n\u003e ```\n\u003e \n\u003e This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.\n\u003e \n\u003e The fix here is to switch to the `Files` API for creating temporary directories. Which does not contain this race condition, and appropriately sets the correct file permissions.\n\u003e ",
  "id": "GHSA-pc22-3g76-gm6j",
  "modified": "2021-03-22T23:45:20Z",
  "published": "2021-03-11T03:09:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21363"
    },
    {
      "type": "WEB",
      "url": "https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-21363 (GCVE-0-2021-21363)

FKIE_CVE-2021-21363

GSD-2021-21363

GHSA-PC22-3G76-GM6J

Impact

Java Code

Patches

References

For more information

Original vulnerability report

Tags

Sightings

Nomenclature