search

swagger-api / swagger-codegen

swagger-codegen contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition.
http://swagger.io
Apache License 2.0
17.08k stars 6.03k forks source link

Vulnerable gradle wrapper used #10404

Open ArulPrakas opened 4 years ago

ArulPrakas commented 4 years ago
Description

Vulnerable gradle wrapper referenced in swagger-codegen wagger-codegen-2.3.1.jar\android\gradle-wrapper.jar

It has following vulnerabilities associated with it:

  1. ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object.

https://nvd.nist.gov/vuln/detail/CVE-2016-6199 CVSS Base score : 9.8 Critical

  1. The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.

https://nvd.nist.gov/vuln/detail/CVE-2019-15052 CVSS Base score : 9.8 Critical

Swagger-codegen version

2.3.1

swiss-chris commented 2 years ago

Sadly this is still true for version 2.4.26. we are getting warnings from our OWASP Dependency Check tool https://owasp.org/www-project-dependency-check/

mnisius commented 2 years ago

Wow this issue is now over 2 years old. CVE-2016-6199 has a Score of 9.8 CRITICAL. Are there no plans to resolve this Issue? Or at least a comment why this won't get resolved?

@ArulPrakas could you maybe update the title to something like "CRITICAL vulnerable gradle wrapper with SCORE 9.8 used" ?

tdinev commented 2 years ago

@mnisius: Indeed.

This still holds for io.swagger:swagger-codegen:2.4.27, but not for io.swagger.codegen.v3:swagger-codegen:3.0.34.

swiss-chris commented 2 years ago

@tdinev ist it 3.0.34 or 1.0.34 ? I found the latter here https://github.com/swagger-api/swagger-codegen-generators/blob/v1.0.34/pom.xml but if the former is correct, could you please provide a link to a source for this dependency ?

tdinev commented 2 years ago

@swiss-chris: Apparently io.swagger.codegen.v3:swagger-codegen:3.0.34 has been tagged on Github as v1.0.34 (cf. https://github.com/swagger-api/swagger-codegen/releases/tag/v3.0.34). Maven Central knows it under the above coordinates (i.e., with version 3.0.34): https://search.maven.org/artifact/io.swagger.codegen.v3/swagger-codegen/3.0.34/jar

tdinev commented 2 years ago

Sorry, I did not see that your link was referring to swagger-codegen-generators. I was talking about swagger-codegen.