Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl4NGMtNjNwZi01MjVm
Arbitrary Code Generation
Impact
Clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution.
Giving this a CVSS of 8.0 (high) with CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C .
Patches
Fix will be included in version 0.5.3
Workarounds
Inspect OpenAPI documents before generating, or inspect generated code before executing.
For more information
If you have any questions or comments about this advisory:
- Open an issue in openapi-python-client
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl4NGMtNjNwZi01MjVm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Identifiers: GHSA-9x4c-63pf-525f, CVE-2020-15142
References:
- https://github.com/triaxtec/openapi-python-client/security/advisories/GHSA-9x4c-63pf-525f
- https://github.com/triaxtec/openapi-python-client/commit/f7a56aae32cba823a77a84a1f10400799b19c19a
- https://github.com/triaxtec/openapi-python-client/blob/main/CHANGELOG.md#053---2020-08-13
- https://pypi.org/project/openapi-python-client/
- https://nvd.nist.gov/vuln/detail/CVE-2020-15142
- https://github.com/openapi-generators/openapi-python-client/commit/f7a56aae32cba823a77a84a1f10400799b19c19a
- https://github.com/openapi-generators/openapi-python-client/releases/tag/v.0.5.3
- https://github.com/advisories/GHSA-9x4c-63pf-525f
Blast Radius: 18.7
Affected Packages
pypi:openapi-python-client
Dependent packages: 9Dependent repositories: 204
Downloads: 234,087 last month
Affected Version Ranges: < 0.5.3
Fixed in: 0.5.3
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2
All unaffected versions: 0.5.3, 0.5.4, 0.5.5, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.12.1, 0.12.2, 0.12.3, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.18.0, 0.19.0, 0.19.1