CVE-2024-35219
HIGH EXPLOITED NUCLEIOrg.openapitools Openapi-generator-online < 7.6.0 - Path Traversal
Title source: ruleDescription
OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Prior to version 7.6.0, attackers can exploit a path traversal vulnerability to read and delete files and folders from an arbitrary, writable directory as anyone can set the output folder when submitting the request via the `outputFolder` option. The issue was fixed in version 7.6.0 by removing the usage of the `outputFolder` option. No known workarounds are available.
Nuclei Templates (1)
OpenAPI Generator <= 7.5.0 - Arbitrary File Read/Delete
HIGHVERIFIEDby iamnoooob,rootxharsh,pdresearch
Scores
CVSS v3
8.3
EPSS
0.5228
EPSS Percentile
97.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Details
VulnCheck KEV
2024-12-05
CWE
CWE-22
Status
published
Products (2)
OpenAPITools/openapi-generator
< 7.6.0
org.openapitools/openapi-generator-online
0 - 7.6.0Maven
Published
May 27, 2024
Tracked Since
Feb 18, 2026