Arbitrary Code Generation
High severity
GitHub Reviewed
Published
Aug 13, 2020
in
openapi-generators/openapi-python-client
•
Updated Jan 9, 2023
Description
Reviewed
Aug 14, 2020
Published to the GitHub Advisory Database
Aug 20, 2020
Last updated
Jan 9, 2023
Impact
Clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution.
Giving this a CVSS of 8.0 (high) with CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C .
Patches
Fix will be included in version 0.5.3
Workarounds
Inspect OpenAPI documents before generating, or inspect generated code before executing.
For more information
If you have any questions or comments about this advisory:
References