NVD Vulnerability Detail

CVE-2021-21364

Summary	swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. In swagger-codegen before version 2.4.19, on Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default `umask` settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions `-rw-r--r--` and `drwxr-xr-x` respectively, unless an API that explicitly sets safe file permissions is used. Because this vulnerability impacts generated code, the generated code will remain vulnerable until fixed manually! This vulnerability is fixed in version 2.4.19. Note this is a distinct vulnerability from CVE-2021-21363.
Publication Date	March 11, 2021, 12:15 p.m.
Registration Date	March 11, 2021, 4:02 p.m.
Last Update	Nov. 21, 2024, 2:48 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:smartbear:swagger-codegen::::::::					2.4.19

Related information, measures and tools

No	URL	タグ
1	https://github.com/swagger-api/swagger-codegen/commit/35adbd552d5f99b3ff1e0e59da228becc85190f2	Patch Third Party Advisory
2	https://github.com/swagger-api/swagger-codegen/commit/35adbd552d5f99b3ff1e0e59da228becc85190f2	Patch Third Party Advisory
3	https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-hpv8-9rq5-hq7w	Mitigation Third Party Advisory
4	https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-hpv8-9rq5-hq7w	Mitigation Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-732	重要なリソースに対する不適切なパーミッションの割り当て	https://cwe.mitre.org/data/definitions/732.html

JVN Vulnerability Information

swagger-codegen における重要なリソースに対する不適切なパーミッションの割り当てに関する脆弱性

Title	swagger-codegen における重要なリソースに対する不適切なパーミッションの割り当てに関する脆弱性
Summary	swagger-codegen には、重要なリソースに対する不適切なパーミッションの割り当てに関する脆弱性、および情報漏えいに関する脆弱性が存在します。本脆弱性は、CVE-2021-21363 とは異なる脆弱性です。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 2, 2021, midnight
Registration Date	Nov. 24, 2021, 3:53 p.m.
Last Update	Nov. 24, 2021, 3:53 p.m.

Affected System

SmartBear Software

Swagger Codegen 2.4.19 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-21364	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21364
National Vulnerability Database (NVD)
2	CVE-2021-21364	https://nvd.nist.gov/vuln/detail/CVE-2021-21364

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html
2	CWE-732	https://cwe.mitre.org/data/definitions/732.html

ベンダー情報

No	Name	URL
GitHub
1	Generated Code Contains Local Information Disclosure Vulnerability	https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-hpv8-9rq5-hq7w
2	Merge pull request from GHSA-hpv8-9rq5-hq7w	https://github.com/swagger-api/swagger-codegen/commit/35adbd552d5f99b3ff1e0e59da228becc85190f2

Change Log

No	Changed Details	Date of change
1	[2021年11月24日] 掲載	Nov. 24, 2021, 3:53 p.m.