OpenAPI to Java Records Mustache Templates Parent POM Unpacking Vulnerability

A vulnerability exists in the parent POM file of the OpenAPI to Java Records Mustache Templates project, specifically in versions 3.1.1 through 3.5.0. The POM file, which is not intended for external use but is publicly available, uses the Maven Dependency Plugin to unpack arbitrary Mustache files from the same version of the OpenAPI to Java Records Mustache Templates artifact. This practice does not adhere to recommended security protocols. If the OpenAPI to Java Records Mustache Templates artifact were compromised and malicious Mustache files were added, these files could be automatically unpacked during a dependency update, potentially leading to security issues.

Impact

Exploitation of this vulnerability could allow for the automatic unpacking of malicious Mustache files from the OpenAPI to Java Records Mustache Templates artifact, if such files were introduced into the JAR. This could occur during a dependency update, creating a risk of executing harmful code or templates.

Remediation

Users are advised to avoid using the parent POM for external purposes. If the Maven Dependency Plugin must be used, it is crucial to explicitly list the Mustache files to be unpacked, ensuring that only safe, intended templates are included.