CVE-2024-35219: OpenAPI Generator Online - Arbitrary File Read/Delete

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-35219

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

OpenAPI Generator Online - Arbitrary File Read/Delete

Source: NVD (National Vulnerability Database)

Vulnerability Description

OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Prior to version 7.6.0, attackers can exploit a path traversal vulnerability to read and delete files and folders from an arbitrary, writable directory as anyone can set the output folder when submitting the request via the `outputFolder` option. The issue was fixed in version 7.6.0 by removing the usage of the `outputFolder` option. No known workarounds are available.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

对路径名的限制不恰当(路径遍历)

Source: NVD (National Vulnerability Database)

Vulnerability Title

OpenAPI Tools OpenAPI Generator 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

OpenAPI Tools OpenAPI Generator是一款OpenAPI生成器。该产品允许在给定OpenAPI规范（v2，v3）的情况下自动生成API客户端库（SDK生成），服务器存根，文档和配置等。 OpenAPI Tools OpenAPI Generator 7.6.0之前版本存在安全漏洞，该漏洞源于存在路径遍历，攻击者利用该漏洞可以读取和删除任意可写目录中的文件和文件夹。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
OpenAPITools	openapi-generator	< 7.6.0	-

II. Public POCs for CVE-2024-35219

#	POC Description	Source Link	Shenlong Link
1	OpenAPI Generator versions 7.5.0 and below are prone to an Arbitrary File Read/Delete vulnerability. Attackers can exploit this vulnerability to read and delete files and folders from an arbitrary, writable directory.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-35219.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2024-35219

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same product: openapi-generator

Same vendor: OpenAPITools

Same weakness: CWE-22

V. Comments for CVE-2024-35219

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2024-35219

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2024-35219

III. Intelligence Information for CVE-2024-35219

IV. Related Vulnerabilities

V. Comments for CVE-2024-35219

Leave a comment