CVE-2021-21363

Name of the Vulnerable Software and Affected Versions swagger-codegen versions prior to 2.4.19

Description The system's temporary directory is shared between all users on Unix-like systems, allowing a collocated user to observe and race to complete the creation of a temporary subdirectory. This is a local privilege escalation issue because an attacker can append to the contents of the outputFolder and control code written to this directory when executed. The method File.createTempFile from the JDK is vulnerable to this local information disclosure issue.

Recommendations For versions prior to 2.4.19, update to version 2.4.19 to fix the vulnerability. As a temporary workaround, consider avoiding the use of the File.createTempFile method and instead use the Files API for creating temporary directories, which does not contain the race condition and sets the correct file permissions. Restrict access to the temporary directory to minimize the risk of exploitation.