Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unpacking Arbitrary Mustache Template Files via `maven-dependency-plugin`
Vulnerability Description
openapi-to-java-records-mustache-templates allows users to generate Java Records from OpenAPI specifications. Starting in version 5.1.1 and prior to version 5.5.1, the parent POM file of this project (`openapi-to-java-records-mustache-templates-parent`), which is used to centralize plugin configurations for multiple unit-test modules, uses `maven-dependency-plugin` to unpack arbitrary `.mustache` files from the `openapi-to-java-records-mustache-templates` artifact (of the same version). While this parent POM file is not intended for external use, it is published, and could be used by anyone, and does not follow the best security practices. The risk, is that if `openapi-to-java-records-mustache-templates` would be compromised, and malicious `.mustache` files were to be included in the resulting JAR/artifact, users would unpack these files automatically during a dependency update. This is addressed in the v3.5.1 release of `openapi-to-java-records-mustache-templates-parent`. It is strongly recommended NOT to use the parent POM for external use. The `openapi-to-java-records-mustache-templates` module is the center of this project, and surrounding modules and configurations are not intended for production-use. These only exist for testing purposes and maintainability.
CVSS Information
N/A
Vulnerability Type
输入验证不恰当
Vulnerability Title
Openapi to Java Records Mustache Templates 输入验证错误漏洞
Vulnerability Description
Openapi to Java Records Mustache Templates是Christopher Molin个人开发者的一个记录生成工具。 Openapi to Java Records Mustache Templates 5.5.1之前版本存在输入验证错误漏洞,该漏洞源于父POM文件可能自动解压恶意文件,可能导致依赖更新时自动执行恶意代码。
CVSS Information
N/A
Vulnerability Type
N/A