CVE-2021-21363

CVE-2021-21363 is a low-severity security vulnerability in io.swagger:swagger-codegen (maven), affecting versions < 2.4.19. It is fixed in 2.4.19.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory

Java Code

The method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.

https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185

References

For more information

If you have any questions or comments about this advisory:

Original vulnerability report

I'm performing OSS security research under the GitHub Security Lab Bug Bounty program.
I've been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries.

The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users.

This vulnerability exists in the maven plugin.

This vulnerability is distinctly different. This vulnerability is most likely a local privilege escalation vulnerability.

https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185

This vulnerability is very similar to this similar vulnerability I disclosed in the Eclipse Jetty project.

https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6

This is due to a race condition between the call to delete and the call to mkdirs.

// ensure file will always be unique by appending random digits
File outputFolder = File.createTempFile("codegen-", "-tmp"); // Attacker knows the full path of the file that will be generated
// delete the file that was created
outputFolder.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Swagger Code Generator.
// and make a directory of the same name
// SECURITY VULNERABILITY: Race Condition! - Attacker beats Swagger Code Generator and now owns this directory
outputFolder.mkdirs();

This vulnerability is local privilege escalation because the contents of the outputFolder can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.

The fix here is to switch to the Files API for creating temporary directories. Which does not contain this race condition, and appropriately sets the correct file permissions.

Impact

On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory.

This vulnerability is local privilege escalation because the contents of the outputFolder can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.

CVE-2021-21363 has a CVSS score of 9.3 (Low). The vector is requires local access, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.4.19); upgrading removes the vulnerable code path.

Affected versions

io.swagger:swagger-codegen (< 2.4.19)

Security releases

io.swagger:swagger-codegen → 2.4.19 (maven)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Fix has been applied to the master branch with:

included in release: 2.4.19

Frequently Asked Questions

  1. What is CVE-2021-21363? CVE-2021-21363 is a low-severity security vulnerability in io.swagger:swagger-codegen (maven), affecting versions < 2.4.19. It is fixed in 2.4.19.
  2. How severe is CVE-2021-21363? CVE-2021-21363 has a CVSS score of 9.3 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of io.swagger:swagger-codegen are affected by CVE-2021-21363? io.swagger:swagger-codegen (maven) versions < 2.4.19 is affected.
  4. Is there a fix for CVE-2021-21363? Yes. CVE-2021-21363 is fixed in 2.4.19. Upgrade to this version or later.
  5. Is CVE-2021-21363 exploitable, and should I be worried? Whether CVE-2021-21363 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2021-21363 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2021-21363? Upgrade io.swagger:swagger-codegen to 2.4.19 or later.

Other vulnerabilities in io.swagger:swagger-codegen

Stop the waste.
Protect your environment with Kodem.