Arbitrary Code Execution Affecting io.swagger:swagger-codegen Open this link in a new tab package, versions [,2.2.3)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
28 Nov 2017
13 Jul 2017
How to fix?
io.swagger:swagger-codegen to version 2.2.3 or higher.
io.swagger:swagger-codegen is a simple yet powerful representation of your RESTful API.
Affected versions of this package are vulnerable to Arbitrary Code Execution via the yaml parsing functionality. When a maliciously crafted yaml Open-API specification is parsed, it is possible to execute arbitrary code on the hosting server. This in particular, affects the 'generate' and 'validate' command in swagger-codegen (<= 2.2.2) and can lead to arbitrary code being executed when these commands are used on a well-crafted yaml specification.