CVE-2024-35219 – OpenAPI Generator versions before 7.6.0 contain... (How to Fix)

Q: What is the severity of CVE-2024-35219?

CVE-2024-35219 has a CVSS score of 8.3 (HIGH). OpenAPI Generator versions before 7.6.0 contain a path traversal vulnerability that allows attackers to read and delete files from arbitrary writable directories. This occurs because anyone can specify the output folder via the 'outputFolder' option when submitting generation requests. Organizations using vulnerable versions of OpenAPI Generator for API client or server stub generation are affected.

📋 TL;DR

OpenAPI Generator versions before 7.6.0 contain a path traversal vulnerability that allows attackers to read and delete files from arbitrary writable directories. This occurs because anyone can specify the output folder via the 'outputFolder' option when submitting generation requests. Organizations using vulnerable versions of OpenAPI Generator for API client or server stub generation are affected.

💻 Affected Systems

Products:

OpenAPI Generator

Versions: All versions prior to 7.6.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any deployment where OpenAPI Generator accepts user input for the outputFolder parameter is vulnerable. This includes web interfaces, CLI tools, and integrations that expose this functionality.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the server hosting OpenAPI Generator, allowing attackers to delete critical system files, read sensitive configuration files, or potentially achieve remote code execution by manipulating files.

🟠

Likely Case

Unauthorized file access and deletion within the application's context, potentially exposing API specifications, configuration files, or other sensitive data stored in writable directories.

🟢

If Mitigated

Limited impact if the application runs with minimal permissions and file system access is properly restricted, though the vulnerability still exists.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and exploitation is straightforward by manipulating the outputFolder parameter with path traversal sequences like '../../'.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.6.0

Vendor Advisory: https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-g3hr-p86p-593h

Restart Required: Yes

Instructions:

1. Stop the OpenAPI Generator service. 2. Update to version 7.6.0 or later using your package manager or by downloading from the official repository. 3. Restart the service. 4. Verify the fix by checking the version and testing that the outputFolder parameter is no longer accepted.

🔧 Temporary Workarounds

No workarounds available

all

The vendor advisory states no known workarounds exist. The vulnerability is in the core functionality and requires patching.

🧯 If You Can't Patch

Disable or restrict access to the OpenAPI Generator service entirely, especially if internet-facing.
Implement strict network segmentation and access controls to limit which users or systems can interact with the vulnerable service.

🔍 How to Verify

Check if Vulnerable:

Check if your OpenAPI Generator version is below 7.6.0 by running 'openapi-generator version' or inspecting your deployment configuration.

Check Version:

openapi-generator version

Verify Fix Applied:

After updating, confirm the version is 7.6.0 or higher and test that attempts to use the outputFolder parameter with path traversal sequences (e.g., '../../etc/passwd') are rejected or ignored.

📡 Detection & Monitoring

Log Indicators:

Log entries showing file operations outside expected directories
Requests containing path traversal sequences in the outputFolder parameter
Error messages related to file access permissions or invalid paths

Network Indicators:

Unusual patterns of requests to the OpenAPI Generator endpoint, especially with parameters containing '../' sequences

SIEM Query:

source="openapi-generator" AND (message="*outputFolder*" OR message="*../*")

📊 Metadata

CVE ID: CVE-2024-35219

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

CWE: CWE-22

Published: May 27, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35219, you might also want to check these: