Insecure Temporary File

Affecting org.openapitools:openapi-generator-maven-plugin artifact, versions [,5.1.0)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.openapitools:openapi-generator-maven-plugin is an It allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec (v2, v3)

Affected versions of this package are vulnerable to Insecure Temporary File. Using File.createTempFile in JDK results in creating and using insecure temporary files that can leave application and system data vulnerable to attacks.

Note: Only impacts unix-like systems where the local system temporary directory is shared between all users. Does not impact Windows or modern versions of MacOS.

Remediation

Upgrade org.openapitools:openapi-generator-maven-plugin to version 5.1.0 or higher.

References

CVSS Score

4.0
medium severity
  • Attack Vector
    Local
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Credit
Jonathan Leitschuh
CVE
CVE-2021-21429
CWE
CWE-377 CWE-552
Snyk ID
SNYK-JAVA-ORGOPENAPITOOLS-1277191
Disclosed
28 Apr, 2021
Published
28 Apr, 2021