CVE-2021-21364

Name of the Vulnerable Software and Affected Versions swagger-codegen versions prior to 2.4.19

Description The issue affects generated code, which remains vulnerable until manually fixed. On Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default umask settings for the process are respected, resulting in files/directories being created with permissions -rw-r--r-- and drwxr-xr-x respectively, unless an API explicitly sets safe file permissions. The method File.createTempFile from the JDK is vulnerable to this local information disclosure issue.

Recommendations For versions prior to 2.4.19, users can remediate the vulnerability by manually updating the generated source code to use java.nio.files.Files temporary file creation instead of java.io.File. This can be done by changing File.createTempFile(prefix, suffix) to Files.createTempFile(prefix, suffix).toFile(). As a temporary workaround, consider updating the generated code to use the Files API until a patch is available.