cve-2021-28168
Vulnerability from cvelistv5
Published
2021-04-22 17:35
Modified
2024-08-03 21:40
Summary
Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.
References
emo@eclipse.orghttps://github.com/eclipse-ee4j/jersey/pull/4712Patch, Third Party Advisory
emo@eclipse.orghttps://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crvThird Party Advisory
emo@eclipse.orghttps://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E
emo@eclipse.orghttps://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa%40%3Ccommits.kafka.apache.org%3E
emo@eclipse.orghttps://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359%40%3Cdev.kafka.apache.org%3E
emo@eclipse.orghttps://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a%40%3Cjira.kafka.apache.org%3E
emo@eclipse.orghttps://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4%40%3Cjira.kafka.apache.org%3E
emo@eclipse.orghttps://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972%40%3Cjira.kafka.apache.org%3E
emo@eclipse.orghttps://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1%40%3Ccommits.kafka.apache.org%3E
emo@eclipse.orghttps://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f%40%3Cjira.kafka.apache.org%3E
emo@eclipse.orghttps://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a%40%3Cjira.kafka.apache.org%3E
emo@eclipse.orghttps://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4%40%3Cjira.kafka.apache.org%3E
emo@eclipse.orghttps://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc%40%3Cdev.kafka.apache.org%3E
emo@eclipse.orghttps://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b%40%3Cjira.kafka.apache.org%3E
emo@eclipse.orghttps://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0%40%3Cjira.kafka.apache.org%3E
emo@eclipse.orghttps://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e%40%3Cjira.kafka.apache.org%3E
emo@eclipse.orghttps://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c%40%3Cjira.kafka.apache.org%3E
emo@eclipse.orghttps://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd%40%3Cjira.kafka.apache.org%3E
emo@eclipse.orghttps://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:40:12.260Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/eclipse-ee4j/jersey/pull/4712"
          },
          {
            "name": "[kafka-jira] 20210429 [GitHub] [kafka] xjin-Confluent opened a new pull request #10614: MINOR: Upgrade jersey to 2.34",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c%40%3Cjira.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-jira] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e%40%3Cjira.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-dev] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc%40%3Cdev.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-jira] 20210505 [GitHub] [kafka] shayelkin opened a new pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0%40%3Cjira.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-jira] 20210506 [jira] [Assigned] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a%40%3Cjira.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-jira] 20210506 [jira] [Commented] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4%40%3Cjira.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b%40%3Cjira.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972%40%3Cjira.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy merged pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f%40%3Cjira.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-commits] 20210506 [kafka] branch 2.7 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1%40%3Ccommits.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-commits] 20210506 [kafka] branch 2.8 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa%40%3Ccommits.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-jira] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd%40%3Cjira.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-dev] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359%40%3Cdev.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr closed pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a%40%3Cjira.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4%40%3Cjira.kafka.apache.org%3E"
          },
          {
            "name": "[kafka-users] 20210617 vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Eclipse Jersey",
          "vendor": "The Eclipse Foundation",
          "versions": [
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "2.28",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.33",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "3.0.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-378",
              "description": "CWE-378: Creation of Temporary File With Insecure Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-379",
              "description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-19T23:54:30",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/eclipse-ee4j/jersey/pull/4712"
        },
        {
          "name": "[kafka-jira] 20210429 [GitHub] [kafka] xjin-Confluent opened a new pull request #10614: MINOR: Upgrade jersey to 2.34",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c%40%3Cjira.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-jira] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e%40%3Cjira.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-dev] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc%40%3Cdev.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-jira] 20210505 [GitHub] [kafka] shayelkin opened a new pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0%40%3Cjira.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-jira] 20210506 [jira] [Assigned] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a%40%3Cjira.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-jira] 20210506 [jira] [Commented] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4%40%3Cjira.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b%40%3Cjira.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972%40%3Cjira.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy merged pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f%40%3Cjira.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-commits] 20210506 [kafka] branch 2.7 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1%40%3Ccommits.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-commits] 20210506 [kafka] branch 2.8 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa%40%3Ccommits.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-jira] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd%40%3Cjira.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-dev] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359%40%3Cdev.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr closed pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a%40%3Cjira.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4%40%3Cjira.kafka.apache.org%3E"
        },
        {
          "name": "[kafka-users] 20210617 vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@eclipse.org",
          "ID": "CVE-2021-28168",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Eclipse Jersey",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_value": "2.28"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.33"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "3.0.0"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "3.0.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "The Eclipse Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": 6.2,
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-378: Creation of Temporary File With Insecure Permissions"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv",
              "refsource": "CONFIRM",
              "url": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv"
            },
            {
              "name": "https://github.com/eclipse-ee4j/jersey/pull/4712",
              "refsource": "CONFIRM",
              "url": "https://github.com/eclipse-ee4j/jersey/pull/4712"
            },
            {
              "name": "[kafka-jira] 20210429 [GitHub] [kafka] xjin-Confluent opened a new pull request #10614: MINOR: Upgrade jersey to 2.34",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c@%3Cjira.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-jira] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e@%3Cjira.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-dev] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc@%3Cdev.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-jira] 20210505 [GitHub] [kafka] shayelkin opened a new pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0@%3Cjira.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-jira] 20210506 [jira] [Assigned] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a@%3Cjira.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-jira] 20210506 [jira] [Commented] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4@%3Cjira.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b@%3Cjira.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972@%3Cjira.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy merged pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f@%3Cjira.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-commits] 20210506 [kafka] branch 2.7 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1@%3Ccommits.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-commits] 20210506 [kafka] branch 2.8 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa@%3Ccommits.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-jira] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd@%3Cjira.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-dev] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359@%3Cdev.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr closed pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a@%3Cjira.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4@%3Cjira.kafka.apache.org%3E"
            },
            {
              "name": "[kafka-users] 20210617 vulnerabilities",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2021-28168",
    "datePublished": "2021-04-22T17:35:14",
    "dateReserved": "2021-03-12T00:00:00",
    "dateUpdated": "2024-08-03T21:40:12.260Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-28168\",\"sourceIdentifier\":\"emo@eclipse.org\",\"published\":\"2021-04-22T18:15:08.250\",\"lastModified\":\"2023-11-07T03:32:06.183\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.\"},{\"lang\":\"es\",\"value\":\"Eclipse Jersey versiones 2.28 hasta 2.33 y Eclipse Jersey versiones 3.0.0 hasta 3.0.1, contienen una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n local.\u0026#xa0;Esto es debido al uso de la funci\u00f3n File.createTempFile que crea un archivo dentro del directorio temporal del sistema con los permisos:-rw-r--r--.\u0026#xa0;Por lo tanto, el contenido de este archivo es visible para todos los dem\u00e1s usuarios localmente en el sistema.\u0026#xa0;Como tal, si el contenido escrito es sensible a la seguridad, puede ser revelado a otros usuarios locales\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6},{\"source\":\"emo@eclipse.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.2,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.5,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":2.1},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-668\"}]},{\"source\":\"emo@eclipse.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-378\"},{\"lang\":\"en\",\"value\":\"CWE-379\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:jersey:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.28\",\"versionEndExcluding\":\"2.34\",\"matchCriteriaId\":\"950CB985-011C-484C-915C-7B994FEB40E4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:jersey:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.0.2\",\"matchCriteriaId\":\"FE1BC821-0033-43A2-BFA3-6E01995F1611\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B4367D9B-BF81-47AD-A840-AC46317C774D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C6EAA723-2A23-4151-930B-86ACF9CC1C0C\"}]}]}],\"references\":[{\"url\":\"https://github.com/eclipse-ee4j/jersey/pull/4712\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa%40%3Ccommits.kafka.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359%40%3Cdev.kafka.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a%40%3Cjira.kafka.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4%40%3Cjira.kafka.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972%40%3Cjira.kafka.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1%40%3Ccommits.kafka.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f%40%3Cjira.kafka.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a%40%3Cjira.kafka.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4%40%3Cjira.kafka.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc%40%3Cdev.kafka.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b%40%3Cjira.kafka.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0%40%3Cjira.kafka.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e%40%3Cjira.kafka.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c%40%3Cjira.kafka.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd%40%3Cjira.kafka.apache.org%3E\",\"source\":\"emo@eclipse.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2022.html\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.