CVE-2021-21363
CVE-2021-21363 is a medium-severity vulnerability in Smartbear Swagger-codegen with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-378.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- CVSS v2: 4.4
- EPSS exploit prediction: 0% (33rd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-378
- Affected product: Smartbear Swagger-codegen
- Published:
- Last modified:
Description
swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. In swagger-codegen before version 2.4.19, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled. For more details refer to the referenced GitHub Security Advisory. This vulnerability is fixed in version 2.4.19. Note this is a distinct vulnerability from CVE-2021-21364.
Frequently asked questions
- What is CVE-2021-21363?
- swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API clients and server stubs in different languages by parsing your OpenAPI / Swagger definition. In swagger-codegen before version 2.4.19, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled. For more details refer to the referenced GitHub Security Advisory. This vulnerability is fixed in version 2.4.19. Note this is a distinct vulnerability from CVE-2021-21364.
- How severe is CVE-2021-21363?
- CVE-2021-21363 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over local access with high attack complexity, requires low privileges and user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2021-21363 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (33rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-21363?
- CVE-2021-21363 affects Smartbear Swagger-codegen. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-21363?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2021-21363 published?
- CVE-2021-21363 was published on 2021-03-11 and last updated on 2026-06-17.
References
- https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89
- https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j
Affected products (1)
- cpe:2.3:a:smartbear:swagger-codegen:*:*:*:*:*:*:*:*
More vulnerabilities in Smartbear Swagger-codegen
- CVE-2021-21364 — Medium (CVSS 5.3): swagger-codegen is an open-source project which contains a template-driven engine to generate documentation, API…
All CVEs affecting Smartbear Swagger-codegen →
Other CWE-378 vulnerabilities
- CVE-2024-39872 — Critical (CVSS 9.6): A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application…
- CVE-2025-32438 — High (CVSS 8.8): make-initrd-ng is a tool for copying binaries and their dependencies. Local privilege escalation affecting all NixOS…
- CVE-2025-27148 — High (CVSS 8.8): Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. On Unix-like…
- CVE-2021-29428 — High (CVSS 8.8): In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions…
- CVE-2026-33572 — High (CVSS 8.4): OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local…
- CVE-2026-4137 — High (CVSS 7.8): In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py`…