CVE-2020-15142 – openapi-python-client

Package

Manager: pip
Name: openapi-python-client
Vulnerable Version: >=0 <0.5.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00757 pctl0.72364

Details

openapi-python-client Arbitrary Code Generation vulnerability ### Impact Clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution. Giving this a CVSS of 8.0 (high) with CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C . ### Patches Fix will be included in version 0.5.3 ### Workarounds Inspect OpenAPI documents before generating, or inspect generated code before executing. ### For more information If you have any questions or comments about this advisory: * Open an issue in [openapi-python-client](https://github.com/triaxtec/openapi-python-client/issues) * Email us at [danthony@triaxtec.com](mailto:danthony@triaxtec.com)

Metadata

Created: 2020-08-20T14:38:24Z
Modified: 2024-10-07T16:47:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-9x4c-63pf-525f/GHSA-9x4c-63pf-525f.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-9x4c-63pf-525f
Finding: F422
Auto approve: 1