Swagger parameter injection Remote Code Execution Vulnerability (CVE-2016-5641)

Swagger parameter injection Remote Code Execution Vulnerability (CVE-2016-5641)
Swagger parameter injection Remote Code Execution Vulnerability (CVE-2016-5641)

Release date:
Updated on:

Affected Systems:

Swagger

Description:

CVE (CAN) ID: CVE-2016-5641

Swagger is a widely used open-source RESTful API framework. Swagger Code Generator contains a template-driven engine that can generate client Code in multiple languages based on Swagger Resource Declaration.

Swagger Code Generator contains Injection Parameters in JSON or YAML files, which can cause remote Code execution. This vulnerability affects other languages such as NodeJS, PHP, Ruby, and Java. Other code generation tools may also be affected by parameter injection.

<* Source: Scott Davis

Link: https://community.rapid7.com/community/infosec/blog/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641
*>

Suggestion:

Temporary solution:

If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:

We recommend that you follow the Swagger information and carefully check the escape characters of Swagger languages before fixing the vulnerability.

Vendor patch:

Swagger
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://swagger.io/

This article permanently updates the link address: