Summary
Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory
Java Code
The method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.
References
- CWE-378: Creation of Temporary File With Insecure Permissions
- CWE-379: Creation of Temporary File in Directory with Insecure Permissions
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Original vulnerability report
I'm performing OSS security research under the GitHub Security Lab Bug Bounty program.
I've been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries.
- https://github.com/github/codeql/pull/4388/files#diff-71d36c0f2bd0b08e32866f873f1c906cdc17277e0ad327c0c6cd2c882f30de4f
- https://github.com/github/codeql/pull/4388/files#diff-1893a18a8bf43c011d61a7889d0139b998a5a78701a30fe7722eddd4c506aaac
- https://github.com/github/codeql/pull/4473
The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users.
This vulnerability exists in the maven plugin.
This vulnerability is distinctly different. This vulnerability is most likely a local privilege escalation vulnerability.
This vulnerability is very similar to this similar vulnerability I disclosed in the Eclipse Jetty project.
https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6
This is due to a race condition between the call to delete and the call to mkdirs.
// ensure file will always be unique by appending random digits
File outputFolder = File.createTempFile("codegen-", "-tmp"); // Attacker knows the full path of the file that will be generated
// delete the file that was created
outputFolder.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Swagger Code Generator.
// and make a directory of the same name
// SECURITY VULNERABILITY: Race Condition! - Attacker beats Swagger Code Generator and now owns this directory
outputFolder.mkdirs();
This vulnerability is local privilege escalation because the contents of the outputFolder can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.
The fix here is to switch to the Files API for creating temporary directories. Which does not contain this race condition, and appropriately sets the correct file permissions.
Impact
On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory.
This vulnerability is local privilege escalation because the contents of the outputFolder can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.
CVE-2021-21363 has a CVSS score of 9.3 (Low). The vector is requires local access, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.4.19); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Fix has been applied to the master branch with:
included in release: 2.4.19
Frequently Asked Questions
- What is CVE-2021-21363? CVE-2021-21363 is a low-severity security vulnerability in io.swagger:swagger-codegen (maven), affecting versions < 2.4.19. It is fixed in 2.4.19.
- How severe is CVE-2021-21363? CVE-2021-21363 has a CVSS score of 9.3 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of io.swagger:swagger-codegen are affected by CVE-2021-21363? io.swagger:swagger-codegen (maven) versions < 2.4.19 is affected.
- Is there a fix for CVE-2021-21363? Yes. CVE-2021-21363 is fixed in 2.4.19. Upgrade to this version or later.
- Is CVE-2021-21363 exploitable, and should I be worried? Whether CVE-2021-21363 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2021-21363 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2021-21363? Upgrade
io.swagger:swagger-codegento 2.4.19 or later.