Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/io.swagger/swagger-codegen@2.1.6
purl pkg:maven/io.swagger/swagger-codegen@2.1.6
Next non-vulnerable version 2.4.19
Latest non-vulnerable version 2.4.19
Risk
Vulnerabilities affecting this package (4)
Vulnerability Summary Fixed by
VCID-b96v-1eu4-23ay
Aliases:
CVE-2017-1000208
GHSA-q7pf-qr96-2vq5
Deserialization of Untrusted Data in swagger-parser A vulnerability in Swagger-Parser's (version <= 1.0.30) yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen (<= 2.2.2) and can lead to arbitrary code being executed when these commands are used on a well-crafted yaml specification.
2.2.2
Affected by 3 other vulnerabilities.
2.2.3
Affected by 2 other vulnerabilities.
VCID-cra3-k2jw-jqe7
Aliases:
CVE-2017-1000207
GHSA-vgvf-9jh3-fg75
Deserialization of Untrusted Data in swagger-codegen A vulnerability in Swagger-Parser's version <= 1.0.30 and Swagger codegen version <= 2.2.2 yaml parsing functionality results in arbitrary code being executed when a maliciously crafted yaml Open-API specification is parsed. This in particular, affects the 'generate' and 'validate' command in swagger-codegen (<= 2.2.2) and can lead to arbitrary code being executed when these commands are used on a well-crafted yaml specification.
2.2.2
Affected by 3 other vulnerabilities.
VCID-p7et-9358-syev
Aliases:
CVE-2021-21363
GHSA-pc22-3g76-gm6j
Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory ### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled. #### Java Code The method `File.createTempFile` from the JDK is vulnerable to this local information disclosure vulnerability. https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185 ### Patches Fix has been applied to the master branch with: * https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89 included in release: 2.4.19 ### References * [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html) * [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html) ### For more information If you have any questions or comments about this advisory: * Email us at [security@swagger.io](mailto:security@swagger.io) #### Original vulnerability report > I'm performing OSS security research under the GitHub Security Lab Bug Bounty program. > I've been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries. > > - https://github.com/github/codeql/pull/4388/files#diff-71d36c0f2bd0b08e32866f873f1c906cdc17277e0ad327c0c6cd2c882f30de4f > - https://github.com/github/codeql/pull/4388/files#diff-1893a18a8bf43c011d61a7889d0139b998a5a78701a30fe7722eddd4c506aaac > - https://github.com/github/codeql/pull/4473 > > The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users. > > --- > > This vulnerability exists in the maven plugin. > > This vulnerability is distinctly different. This vulnerability is most likely a local privilege escalation vulnerability. > > https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185 > > This vulnerability is very similar to this similar vulnerability I disclosed in the Eclipse Jetty project. > > https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6 > > This is due to a race condition between the call to `delete` and the call to `mkdirs`. > > ```java > // ensure file will always be unique by appending random digits > File outputFolder = File.createTempFile("codegen-", "-tmp"); // Attacker knows the full path of the file that will be generated > // delete the file that was created > outputFolder.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Swagger Code Generator. > // and make a directory of the same name > // SECURITY VULNERABILITY: Race Condition! - Attacker beats Swagger Code Generator and now owns this directory > outputFolder.mkdirs(); > ``` > > This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled. > > The fix here is to switch to the `Files` API for creating temporary directories. Which does not contain this race condition, and appropriately sets the correct file permissions. >
2.4.19
Affected by 0 other vulnerabilities.
VCID-zrty-8qbe-gua2
Aliases:
CVE-2021-21364
GHSA-hpv8-9rq5-hq7w
Generated Code Contains Local Information Disclosure Vulnerability ### Impact **This vulnerability impacts generated code.** If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually! On Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default `umask` settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions `-rw-r--r--` and `drwxr-xr-x` respectively, unless an API that explicitly sets safe file permissions is used. #### Java Code The method `File.createTempFile` from the JDK is vulnerable to this local information disclosure vulnerability. - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/kotlin-client/infrastructure/ApiClient.kt.mustache#L209 - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/finch/api.mustache#L84 - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/okhttp-gson/ApiClient.mustache#L831-L834 - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/jersey2/ApiClient.mustache#L630-L633 ### Patches Fix has been applied to the master branch with: * https://github.com/swagger-api/swagger-codegen/commit/35adbd552d5f99b3ff1e0e59da228becc85190f2 included in release: 2.4.19 ### Workarounds Users can remediate the vulnerability in non patched version by manually (or programmatically e.g. in CI) updating the generated source code to use `java.nio.files.Files` temporary file creation instead of `java.io.File`, e.g. by changing ```java if (tempFolderPath == null) return File.createTempFile(prefix, suffix); else return File.createTempFile(prefix, suffix, new File(tempFolderPath)); ``` to ```java if (tempFolderPath == null) return Files.createTempFile(prefix, suffix).toFile(); else return Files.createTempFile(Paths.get(tempFolderPath), prefix, suffix).toFile(); ``` or generally changing: ```java File.createTempFile(prefix, suffix); ``` to ```java Files.createTempFile(prefix, suffix).toFile(); ``` ### References * [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html) * [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html) * [CWE-732: Incorrect Permission Assignment for Critical Resource](https://cwe.mitre.org/data/definitions/732.html) ### For more information If you have any questions or comments about this advisory: * Email us at [security@swagger.io](mailto:security@swagger.io) #### Original vulnerability report > I'm performing OSS security research under the GitHub Security Lab Bug Bounty program. > I've been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries. > > - https://github.com/github/codeql/pull/4388/files#diff-71d36c0f2bd0b08e32866f873f1c906cdc17277e0ad327c0c6cd2c882f30de4f > - https://github.com/github/codeql/pull/4388/files#diff-1893a18a8bf43c011d61a7889d0139b998a5a78701a30fe7722eddd4c506aaac > - https://github.com/github/codeql/pull/4473 > > The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users. > > --- > > This code exists in the code generator, in the generated code. > > In this case, I believe this is only a local information disclosure. IE. another user can read the information, not replace it. > > In particular, the method `File.createTempFile` from the JDK is vulnerable to this local information disclosure vulnerability. > > This is because `File.createTempFile` creates a file inside of the system temporary directory with the permissions: `-rw-r--r--`. Thus the contents of this file are viewable by all other users locally on the system. > > - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/kotlin-client/infrastructure/ApiClient.kt.mustache#L209 > - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/finch/api.mustache#L84 > - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/okhttp-gson/ApiClient.mustache#L831-L834 > - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/jersey2/ApiClient.mustache#L630-L633 > > The fix here is to switch to the `Files` API, instead of `File` as that appropriately sets the file permissions. >
2.4.19
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-30T04:35:12.052766+00:00 GitLab Importer Affected by VCID-zrty-8qbe-gua2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.swagger/swagger-codegen/CVE-2021-21364.yml 38.6.0
2026-05-30T04:35:10.663923+00:00 GitLab Importer Affected by VCID-p7et-9358-syev https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.swagger/swagger-codegen/CVE-2021-21363.yml 38.6.0
2026-05-30T03:58:43.979892+00:00 GitLab Importer Affected by VCID-cra3-k2jw-jqe7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.swagger/swagger-codegen/CVE-2017-1000207.yml 38.6.0
2026-05-30T03:58:41.280495+00:00 GitLab Importer Affected by VCID-b96v-1eu4-23ay https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/io.swagger/swagger-codegen/CVE-2017-1000208.yml 38.6.0