Java, PHP, NodeJS, and Ruby Tools Compromised By Severe Swagger Vulnerability
"Researchers have discovered a vulnerability within the Swagger specification which may place tools based on NodeJS, PHP, Ruby, and Java at risk of exploit," warns ZDNet's blog Zero Day, adding "the severe flaw allows attackers to remotely execute code http://t.sidekickopen06.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdDNq6N3LjlmddnsfMW8q5y9d56dV_ff7DM6hg02?t=http%3A%2F%2Fwww.zdnet.com%2Farticle%2Fsevere-swagger-vulnerability-compromises-nodejs-php-java%2F&si=6068160240287744&pi=bf083940-ad89-4363-8262-d682b1940e43." Slashdot reader msm1267 http://t.sidekickopen06.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdDNq6N3LjlmddnsfMW8q5y9d56dV_ff7DM6hg02?t=https%3A%2F%2Fdevelopers.slashdot.org%2F~msm1267&si=6068160240287744&pi=bf083940-ad89-4363-8262-d682b1940e43 writes:A serious parameter injection vulnerability exists in the Swagger Code Generator that could allow an attacker to embed executable code in a Swagger JSON file http://t.sidekickopen06.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdDNq6N3LjlmddnsfMW8q5y9d56dV_ff7DM6hg02?t=https%3A%2F%2Fthreatpost.com%2Funpatched-remote-code-execution-flaw-exists-in-swagger%2F118867%2F&si=6068160240287744&pi=bf083940-ad89-4363-8262-d682b1940e43. The flaw affects NodeJS, Ruby, PHP, Java and likely other programming languages. Researchers at Rapid7 who found the flaw disclosed details http://t.sidekickopen06.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdDNq6N3LjlmddnsfMW8q5y9d56dV_ff7DM6hg02?t=https%3A%2F%2Fcommunity.rapid7.com%2Fcommunity%2Finfosec%2Fblog%2F2016%2F06%2F23%2Fr7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641&si=6068160240287744&pi=bf083940-ad89-4363-8262-d682b1940e43...as well as a Metasploit module and a proposed patch for the specification. The matter was privately disclosed in April, but Rapid7 said it never heard a response from Swagger's maintainers.
Swagger produces and consumes RESTful web services APIs; Swagger docs can be consumed to automatically generate client-server code. As of January 1, the Swagger specification was donated to the Open API Initiative and became the foundation for the OpenAPI Specification. The vulnerability lies in the Swagger Code Generator, and specifically in that parsers for Swagger documents (written in JSON) don't properly sanitize input. Therefore, an attacker can abuse a developer's trust in Swagger to include executable code that will run once it's in the development environment.