An unexpected behavior in a relatively new and popular open source API framework called Swagger could lead to code execution, researchers at Rapid7 said.
The company today disclosed some details on the vulnerability, and released a Metasploit exploit module and a proposed patch written by researcher Scott Davis who found the flaw.
Details were privately disclosed on April 19 to the Swagger API team and then on May 9 to CERT, Rapid7 said. To date, Rapid7 Security Research Manager Tod Beardsley told Threatpost, there has been no response from Swagger’s maintainers. Rapid7 said it shared its patch with CERT on June 16 and today made its public disclosure.