Description |
+ |
A security issue has been found in openapi-generator before version 5.1.1. On Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default umask settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions -rw-r--r-- and drwxr-xr-x respectively, unless an API that explicitly sets safe file permissions is used. |
+ |
|
+ |
This vulnerability exists due to the use of the JDK method File.createTempFile. This method creates an insecure temporary files that can leave application and system data vulnerable to exposure. |
+ |
|
+ |
Auto-generated code (Java, Scala) that deals with uploading or downloading binary data through API endpoints will create insecure temporary files during the process. For example, if the API endpoint returns a PDF file, the auto-generated clients will first download the PDF into a insecure temporary file that can be read by anyone on the system. |
+ |
|
+ |
This vulnerability impacts generated code. If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually! |
|