Skip to content

Path Traversal in openapi-python-client

Low severity GitHub Reviewed Published Aug 13, 2020 in openapi-generators/openapi-python-client • Updated Jan 9, 2023

Package

pip openapi-python-client (pip)

Affected versions

< 0.5.3

Patched versions

0.5.3

Description

Impact

Path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files to be placed in arbitrary locations on disk.

Giving this a CVSS score of 3.0 (Low) with CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N/E:P/RL:U/RC:C

Patches

A fix is being worked on for version 0.5.3

Workarounds

Inspect OpenAPI documents before generating clients for them.

For more information

If you have any questions or comments about this advisory:

References

@dbanty dbanty published to openapi-generators/openapi-python-client Aug 13, 2020
Reviewed Aug 14, 2020
Published to the GitHub Advisory Database Aug 20, 2020
Last updated Jan 9, 2023

Severity

Low
3.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

Weaknesses

CVE ID

CVE-2020-15141

GHSA ID

GHSA-7wgr-7666-7pwj

Source code

No known source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.