Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTd3Z3ItNzY2Ni03cHdq

Path Traversal in openapi-python-client

Impact

Path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files to be placed in arbitrary locations on disk.

Giving this a CVSS score of 3.0 (Low) with CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N/E:P/RL:U/RC:C

Patches

A fix is being worked on for version 0.5.3

Workarounds

Inspect OpenAPI documents before generating clients for them.

For more information

If you have any questions or comments about this advisory:

• Open an issue in openapi-python-client
• Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-7wgr-7666-7pwj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTd3Z3ItNzY2Ni03cHdq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: over 1 year ago

CVSS Score: 3.0
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

Identifiers: GHSA-7wgr-7666-7pwj, CVE-2020-15141
References:

• https://github.com/triaxtec/openapi-python-client/security/advisories/GHSA-7wgr-7666-7pwj
• https://github.com/triaxtec/openapi-python-client/commit/3e7dfae5d0b3685abf1ede1bc6c086a116ac4746
• https://github.com/triaxtec/openapi-python-client/blob/main/CHANGELOG.md#053---2020-08-13
• https://pypi.org/project/openapi-python-client
• https://pypi.org/project/openapi-python-client/
• https://nvd.nist.gov/vuln/detail/CVE-2020-15141
• https://github.com/advisories/GHSA-7wgr-7666-7pwj

Repository: https://github.com/triaxtec/openapi-python-client
Blast Radius: 6.9

Affected Packages