logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-21364 io.swagger:swagger-codegen

Package

Manager: maven
Name: io.swagger:swagger-codegen
Vulnerable Version: >=0 <2.4.19

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0008 pctl0.24348

Details

Generated Code Contains Local Information Disclosure Vulnerability ### Impact **This vulnerability impacts generated code.** If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually! On Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default `umask` settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions `-rw-r--r--` and `drwxr-xr-x` respectively, unless an API that explicitly sets safe file permissions is used. #### Java Code The method `File.createTempFile` from the JDK is vulnerable to this local information disclosure vulnerability. - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/kotlin-client/infrastructure/ApiClient.kt.mustache#L209 - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/finch/api.mustache#L84 - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/okhttp-gson/ApiClient.mustache#L831-L834 - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/jersey2/ApiClient.mustache#L630-L633 ### Patches Fix has been applied to the master branch with: * https://github.com/swagger-api/swagger-codegen/commit/35adbd552d5f99b3ff1e0e59da228becc85190f2 included in release: 2.4.19 ### Workarounds Users can remediate the vulnerability in non patched version by manually (or programmatically e.g. in CI) updating the generated source code to use `java.nio.files.Files` temporary file creation instead of `java.io.File`, e.g. by changing ```java if (tempFolderPath == null) return File.createTempFile(prefix, suffix); else return File.createTempFile(prefix, suffix, new File(tempFolderPath)); ``` to ```java if (tempFolderPath == null) return Files.createTempFile(prefix, suffix).toFile(); else return Files.createTempFile(Paths.get(tempFolderPath), prefix, suffix).toFile(); ``` or generally changing: ```java File.createTempFile(prefix, suffix); ``` to ```java Files.createTempFile(prefix, suffix).toFile(); ``` ### References * [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html) * [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html) * [CWE-732: Incorrect Permission Assignment for Critical Resource](https://cwe.mitre.org/data/definitions/732.html) ### For more information If you have any questions or comments about this advisory: * Email us at [security@swagger.io](mailto:security@swagger.io) #### Original vulnerability report > I'm performing OSS security research under the GitHub Security Lab Bug Bounty program. > I've been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries. > > - https://github.com/github/codeql/pull/4388/files#diff-71d36c0f2bd0b08e32866f873f1c906cdc17277e0ad327c0c6cd2c882f30de4f > - https://github.com/github/codeql/pull/4388/files#diff-1893a18a8bf43c011d61a7889d0139b998a5a78701a30fe7722eddd4c506aaac > - https://github.com/github/codeql/pull/4473 > > The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users. > > --- > > This code exists in the code generator, in the generated code. > > In this case, I believe this is only a local information disclosure. IE. another user can read the information, not replace it. > > In particular, the method `File.createTempFile` from the JDK is vulnerable to this local information disclosure vulnerability. > > This is because `File.createTempFile` creates a file inside of the system temporary directory with the permissions: `-rw-r--r--`. Thus the contents of this file are viewable by all other users locally on the system. > > - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/kotlin-client/infrastructure/ApiClient.kt.mustache#L209 > - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/finch/api.mustache#L84 > - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/okhttp-gson/ApiClient.mustache#L831-L834 > - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/jersey2/ApiClient.mustache#L630-L633 > > The fix here is to switch to the `Files` API, instead of `File` as that appropriately sets the file permissions. >

Metadata

Created: 2021-03-11T03:09:18Z
Modified: 2022-10-25T20:35:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-hpv8-9rq5-hq7w/GHSA-hpv8-9rq5-hq7w.json
CWE IDs: ["CWE-200", "CWE-378", "CWE-732"]
Alternative ID: GHSA-hpv8-9rq5-hq7w
Finding: F028
Auto approve: 1