swagger-codegen icon indicating copy to clipboard operation
swagger-codegen copied to clipboard
verified publisher icon swagger-api

Vulnerable gradle wrapper used

Open ArulPrakas opened this issue 5 years ago • 3 comments

Description

Vulnerable gradle wrapper referenced in swagger-codegen wagger-codegen-2.3.1.jar\android\gradle-wrapper.jar

It has following vulnerabilities associated with it:

  1. ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object.

https://nvd.nist.gov/vuln/detail/CVE-2016-6199 CVSS Base score : 9.8 Critical

  1. The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.

https://nvd.nist.gov/vuln/detail/CVE-2019-15052 CVSS Base score : 9.8 Critical

Swagger-codegen version

2.3.1

ArulPrakas avatar Jul 23 '20 16:07 ArulPrakas

Sadly this is still true for version 2.4.26. we are getting warnings from our OWASP Dependency Check tool https://owasp.org/www-project-dependency-check/

swiss-chris avatar Mar 10 '22 15:03 swiss-chris

Wow this issue is now over 2 years old. CVE-2016-6199 has a Score of 9.8 CRITICAL. Are there no plans to resolve this Issue? Or at least a comment why this won't get resolved?

@ArulPrakas could you maybe update the title to something like "CRITICAL vulnerable gradle wrapper with SCORE 9.8 used" ?

mnisius avatar Jul 28 '22 07:07 mnisius

@mnisius: Indeed.

This still holds for io.swagger:swagger-codegen:2.4.27, but not for io.swagger.codegen.v3:swagger-codegen:3.0.34.

tdinev avatar Aug 05 '22 08:08 tdinev

@tdinev ist it 3.0.34 or 1.0.34 ? I found the latter here https://github.com/swagger-api/swagger-codegen-generators/blob/v1.0.34/pom.xml but if the former is correct, could you please provide a link to a source for this dependency ?

swiss-chris avatar Aug 11 '22 14:08 swiss-chris

@swiss-chris: Apparently io.swagger.codegen.v3:swagger-codegen:3.0.34 has been tagged on Github as v1.0.34 (cf. https://github.com/swagger-api/swagger-codegen/releases/tag/v3.0.34). Maven Central knows it under the above coordinates (i.e., with version 3.0.34): https://search.maven.org/artifact/io.swagger.codegen.v3/swagger-codegen/3.0.34/jar

tdinev avatar Aug 11 '22 14:08 tdinev

Sorry, I did not see that your link was referring to swagger-codegen-generators. I was talking about swagger-codegen.

tdinev avatar Aug 11 '22 14:08 tdinev