CVE-2024-35219: OpenAPI Generator Online - Arbitrary File Read/Delete
Attackers can exploit the vulnerability to read and delete files and folders from an arbitrary, writable directory as anyone can set the output folder when submitting the request via the outputFolder option.
References
- github.com/OpenAPITools/openapi-generator
- github.com/OpenAPITools/openapi-generator/commit/edbb021aadae47dcfe690313ce5119faf77f800d
- github.com/OpenAPITools/openapi-generator/pull/18652
- github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-g3hr-p86p-593h
- github.com/advisories/GHSA-g3hr-p86p-593h
- nvd.nist.gov/vuln/detail/CVE-2024-35219
Detect and mitigate CVE-2024-35219 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →