CVE-2021-21364

CVE-2021-21364 is a medium-severity incorrect permission assignment for critical resource vulnerability in io.swagger:swagger-codegen (maven), affecting versions < 2.4.19. It is fixed in 2.4.19.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Generated Code Contains Local Information Disclosure Vulnerability

Java Code

The method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.

Workarounds

Users can remediate the vulnerability in non patched version by manually (or programmatically e.g. in CI) updating the generated source code to use java.nio.files.Files temporary file creation instead of java.io.File, e.g. by changing


    if (tempFolderPath == null)
      return File.createTempFile(prefix, suffix);
    else
      return File.createTempFile(prefix, suffix, new File(tempFolderPath));

to


    if (tempFolderPath == null)
      return Files.createTempFile(prefix, suffix).toFile();
    else
      return Files.createTempFile(Paths.get(tempFolderPath), prefix, suffix).toFile();

or generally changing:


File.createTempFile(prefix, suffix);

to


Files.createTempFile(prefix, suffix).toFile();

References

For more information

If you have any questions or comments about this advisory:

Original vulnerability report

I'm performing OSS security research under the GitHub Security Lab Bug Bounty program.
I've been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries.

The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users.

This code exists in the code generator, in the generated code.

In this case, I believe this is only a local information disclosure. IE. another user can read the information, not replace it.

In particular, the method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.

This is because File.createTempFile creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system.

The fix here is to switch to the Files API, instead of File as that appropriately sets the file permissions.

Impact

This vulnerability impacts generated code. If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually!

On Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default umask settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions -rw-r--r-- and drwxr-xr-x respectively, unless an API that explicitly sets safe file permissions is used.

A file, directory, or other resource is assigned permissions that allow broader access than intended. Typical impact: unauthorized read, modification, or execution of the resource.

CVE-2021-21364 has a CVSS score of 6.2 (Medium). The vector is requires local access, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.4.19); upgrading removes the vulnerable code path.

Affected versions

io.swagger:swagger-codegen (< 2.4.19)

Security releases

io.swagger:swagger-codegen → 2.4.19 (maven)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Fix has been applied to the master branch with:

included in release: 2.4.19

Frequently Asked Questions

  1. What is CVE-2021-21364? CVE-2021-21364 is a medium-severity incorrect permission assignment for critical resource vulnerability in io.swagger:swagger-codegen (maven), affecting versions < 2.4.19. It is fixed in 2.4.19. A file, directory, or other resource is assigned permissions that allow broader access than intended.
  2. How severe is CVE-2021-21364? CVE-2021-21364 has a CVSS score of 6.2 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of io.swagger:swagger-codegen are affected by CVE-2021-21364? io.swagger:swagger-codegen (maven) versions < 2.4.19 is affected.
  4. Is there a fix for CVE-2021-21364? Yes. CVE-2021-21364 is fixed in 2.4.19. Upgrade to this version or later.
  5. Is CVE-2021-21364 exploitable, and should I be worried? Whether CVE-2021-21364 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2021-21364 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2021-21364? Upgrade io.swagger:swagger-codegen to 2.4.19 or later.

Other vulnerabilities in io.swagger:swagger-codegen

Stop the waste.
Protect your environment with Kodem.