Path Traversal in openapi-python-client

2020-08-2014:38:13

Google

osv.dev

0.001 Low

EPSS

Percentile

31.7%

JSON

Impact

Path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files to be placed in arbitrary locations on disk.

Giving this a CVSS score of 3.0 (Low) with CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N/E:P/RL:U/RC:C

Patches

A fix is being worked on for version 0.5.3

Workarounds

Inspect OpenAPI documents before generating clients for them.

For more information

If you have any questions or comments about this advisory:

Open an issue in openapi-python-client
Email us at [email protected]

CPENameOperatorVersion
openapi-python-clienteq0.1.0.dev0
openapi-python-clienteq0.5.2
openapi-python-clienteq0.1.2
openapi-python-clienteq0.2.0
openapi-python-clienteq0.4.0
openapi-python-clienteq0.4.2
openapi-python-clienteq0.5.1
openapi-python-clienteq0.4.0rc1
openapi-python-clienteq0.1.0
openapi-python-clienteq0.2.1

Name	Operator	Version
openapi-python-client	eq	0.1.0.dev0
openapi-python-client	eq	0.5.2
openapi-python-client	eq	0.1.2
openapi-python-client	eq	0.2.0
openapi-python-client	eq	0.4.0
openapi-python-client	eq	0.4.2
openapi-python-client	eq	0.5.1
openapi-python-client	eq	0.4.0rc1
openapi-python-client	eq	0.1.0
openapi-python-client	eq	0.2.1