Code Injection in openapi-python-client - CVE-2020-15142
Published: August 28, 2020
Vulnerability identifier: #VU46119
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Green
CVE-ID: CVE-2020-15142
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
openapi-python-client
openapi-python-client
Software vendor:
Triax Technologies
Triax Technologies
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. A remote authenticated attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.
External links
- https://github.com/triaxtec/openapi-python-client/blob/main/CHANGELOG.md#053---2020-08-13
- https://github.com/triaxtec/openapi-python-client/commit/f7a56aae32cba823a77a84a1f10400799b19c19a
- https://github.com/triaxtec/openapi-python-client/security/advisories/GHSA-9x4c-63pf-525f
- https://pypi.org/project/openapi-python-client/