CVE-2021-21428
📋 TL;DR
CVE-2021-21428 is an insecure temporary file creation vulnerability in openapi-generator-online that allows any user on the system to read and append to auto-generated files. This affects systems running vulnerable versions of the openapi-generator-online tool, potentially exposing sensitive API code and configuration data.
💻 Affected Systems
- OpenAPITools openapi-generator-online
📦 What is this software?
Openapi Generator by Openapi Generator
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive API keys, credentials, or proprietary code from generated files, or inject malicious code into generated SDKs that gets distributed to downstream users.
Likely Case
Unauthorized users on the same system can access generated API client code, potentially exposing business logic or configuration details.
If Mitigated
With proper file permissions and isolation, impact is limited to the specific user account running the generator.
🎯 Exploit Status
Exploitation requires local access to the system or access to the web service if exposed. Attackers simply need to read or write to the insecurely created temporary files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v5.1.0 and later
Vendor Advisory: https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-23x4-m842-fmwf
Restart Required: Yes
Instructions:
1. Stop the openapi-generator-online service. 2. Update to version 5.1.0 or later using your package manager or by downloading from GitHub. 3. Restart the service. 4. Verify the fix by checking the version and testing file permissions.
🔧 Temporary Workarounds
Run as isolated user
linuxRun the openapi-generator-online service under a dedicated user account with restricted permissions
sudo useradd -r -s /bin/false openapi-generator
sudo chown -R openapi-generator:openapi-generator /path/to/openapi-generator
Manual permission hardening
linuxSet strict permissions on temporary directories used by the generator
chmod 700 /tmp/openapi-*
find /tmp -name 'openapi-*' -type d -exec chmod 700 {} \;
🧯 If You Can't Patch
- Isolate the openapi-generator-online service on a dedicated system with no other users
- Implement strict monitoring on temporary directories for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check if running openapi-generator-online version earlier than 5.1.0. Examine temporary file permissions in /tmp or system temp directory for files starting with 'openapi-'.Check Version:
java -jar openapi-generator-online.jar --versionVerify Fix Applied:
After updating to 5.1.0+, verify that temporary files created by the generator have secure permissions (typically 600 for files, 700 for directories) and are only accessible by the creating user.📡 Detection & Monitoring
Log Indicators:
- Multiple users accessing the same temporary files
- Permission denied errors from legitimate users trying to access their generated files
Network Indicators:
- Unusual network traffic from the generator host if files contain sensitive data
SIEM Query:
source="openapi-generator" AND (event="permission_denied" OR event="unauthorized_access")