6.2
CVE-2021-21290
- EPSS 0.02%
- Veröffentlicht 08.02.2021 20:15:12
- Zuletzt bearbeitet 21.11.2024 05:47:56
- Quelle security-advisories@github.com
- Teams Watchlist Login
- Unerledigt Login
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Debian ≫ Debian Linux Version9.0
Debian ≫ Debian Linux Version10.0
Oracle ≫ Banking Corporate Lending Process Management Version14.2.0
Oracle ≫ Banking Corporate Lending Process Management Version14.3.0
Oracle ≫ Banking Corporate Lending Process Management Version14.5.0
Oracle ≫ Banking Credit Facilities Process Management Version14.2.0
Oracle ≫ Banking Credit Facilities Process Management Version14.3.0
Oracle ≫ Banking Credit Facilities Process Management Version14.5.0
Oracle ≫ Banking Trade Finance Process Management Version14.2.0
Oracle ≫ Banking Trade Finance Process Management Version14.3.0
Oracle ≫ Banking Trade Finance Process Management Version14.5.0
Oracle ≫ Communications Brm - Elastic Charging Engine Version12.0.0.3
Oracle ≫ Communications Design Studio Version7.4.2
Oracle ≫ Communications Messaging Server Version8.1
Oracle ≫ Nosql Database Version < 20.3
Netapp ≫ Active Iq Unified Manager Version- SwPlatformlinux
Netapp ≫ Active Iq Unified Manager Version- SwPlatformwindows
Netapp ≫ Cloud Secure Agent Version-
Netapp ≫ Snapcenter Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.02% | 0.028 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 1.9 | 3.4 | 2.9 |
AV:L/AC:M/Au:N/C:P/I:N/A:N
|
| security-advisories@github.com | 6.2 | 2.5 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
CWE-378 Creation of Temporary File With Insecure Permissions
Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.
CWE-379 Creation of Temporary File in Directory with Insecure Permissions
The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
CWE-668 Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.