Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl4NGMtNjNwZi01MjVm

Arbitrary Code Generation

Impact

Clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution.

Giving this a CVSS of 8.0 (high) with CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C .

Patches

Fix will be included in version 0.5.3

Workarounds

Inspect OpenAPI documents before generating, or inspect generated code before executing.

For more information

If you have any questions or comments about this advisory:

• Open an issue in openapi-python-client
• Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-9x4c-63pf-525f
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl4NGMtNjNwZi01MjVm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago

CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Identifiers: GHSA-9x4c-63pf-525f, CVE-2020-15142
References:

• https://github.com/triaxtec/openapi-python-client/security/advisories/GHSA-9x4c-63pf-525f
• https://github.com/triaxtec/openapi-python-client/commit/f7a56aae32cba823a77a84a1f10400799b19c19a
• https://github.com/triaxtec/openapi-python-client/blob/main/CHANGELOG.md#053---2020-08-13
• https://pypi.org/project/openapi-python-client/
• https://nvd.nist.gov/vuln/detail/CVE-2020-15142
• https://github.com/openapi-generators/openapi-python-client/commit/f7a56aae32cba823a77a84a1f10400799b19c19a
• https://github.com/openapi-generators/openapi-python-client/releases/tag/v.0.5.3
• https://github.com/advisories/GHSA-9x4c-63pf-525f

Repository: https://github.com/triaxtec/openapi-python-client
Blast Radius: 18.7

Affected Packages