Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl4NGMtNjNwZi01MjVm
openapi-python-client Arbitrary Code Generation vulnerability
Impact
Clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution.
Giving this a CVSS of 8.0 (high) with CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C .
Patches
Fix will be included in version 0.5.3
Workarounds
Inspect OpenAPI documents before generating, or inspect generated code before executing.
For more information
If you have any questions or comments about this advisory:
- Open an issue in openapi-python-client
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTl4NGMtNjNwZi01MjVm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: 4 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Percentage: 0.00141
EPSS Percentile: 0.50531
Identifiers: GHSA-9x4c-63pf-525f, CVE-2020-15142
References:
- https://github.com/triaxtec/openapi-python-client/security/advisories/GHSA-9x4c-63pf-525f
- https://github.com/triaxtec/openapi-python-client/commit/f7a56aae32cba823a77a84a1f10400799b19c19a
- https://github.com/triaxtec/openapi-python-client/blob/main/CHANGELOG.md#053---2020-08-13
- https://nvd.nist.gov/vuln/detail/CVE-2020-15142
- https://github.com/openapi-generators/openapi-python-client/commit/f7a56aae32cba823a77a84a1f10400799b19c19a
- https://github.com/openapi-generators/openapi-python-client/releases/tag/v.0.5.3
- https://github.com/pypa/advisory-database/tree/main/vulns/openapi-python-client/PYSEC-2020-71.yaml
- https://pypi.org/project/openapi-python-client
- https://github.com/advisories/GHSA-9x4c-63pf-525f
Blast Radius: 18.7
Affected Packages
pypi:openapi-python-client
Dependent packages: 13Dependent repositories: 204
Downloads: 198,660 last month
Affected Version Ranges: < 0.5.3
Fixed in: 0.5.3
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2
All unaffected versions: 0.5.3, 0.5.4, 0.5.5, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.10.7, 0.10.8, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.12.1, 0.12.2, 0.12.3, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.18.0, 0.19.0, 0.19.1, 0.20.0, 0.21.0, 0.21.1, 0.21.2, 0.21.3, 0.21.4, 0.21.5, 0.21.6, 0.21.7, 0.22.0, 0.23.0, 0.23.1