io.swagger:swagger-codegen@2.1.6 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the io.swagger:swagger-codegen package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Information Exposure

Affected versions of this package are vulnerable to Information Exposure. On unix-like systems, the temporary directory is shared between all users. As such, writing to this directory using API's that do not explicitly set the file/directory permissions can lead to information disclosure. When files/directories are created using the File.createTempFile method, the default umask settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions -rw-r--r-- and drwxr-xr-x respectively, unless an API that explicitly sets safe file permissions is used.

How to fix Information Exposure?

Upgrade io.swagger:swagger-codegen to version 2.4.19 or higher.

[,2.4.19)
  • H
Arbitrary Code Execution

io.swagger:swagger-codegen is a simple yet powerful representation of your RESTful API.

Affected versions of this package are vulnerable to Arbitrary Code Execution via the yaml parsing functionality. When a maliciously crafted yaml Open-API specification is parsed, it is possible to execute arbitrary code on the hosting server. This in particular, affects the 'generate' and 'validate' command in swagger-codegen (<= 2.2.2) and can lead to arbitrary code being executed when these commands are used on a well-crafted yaml specification.

How to fix Arbitrary Code Execution?

Upgrade io.swagger:swagger-codegen to version 2.2.3 or higher.

[,2.2.3)
  • C
Arbitrary Code Execution

io.swagger:swagger-codegen is a simple yet powerful representation of your RESTful API.

Affected versions of this package are vulnerable to Arbitrary Code Execution via parameter injection. By leveraging this vulnerability, an attacker can inject arbitrary execution code embedded with a client or server generated automatically to interact with the definition of service.

[,2.2.0)