GHSA-C43Q-5HPJ-4CRV

Vulnerability from github – Published: 2021-04-23 16:55 – Updated: 2021-04-22 19:22
VLAI?
Summary
Local information disclosure via system temporary directory
Details

Impact

Eclipse Jersey 2.28 - 2.33 and Eclipse Jersey 3.0.0 - 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.

Workaround

This issue can be mitigated by manually setting the java.io.tmpdir system property when launching the JVM.

Patches

Jersey 2.34 and 3.0.2 forward sets the correct permissions on the temporary file created by Jersey.

References

Similar Vulnerabilities

Similar, but not the same:

  • JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp
  • Google Guava - https://github.com/google/guava/issues/4011
  • Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945
  • JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824
  • Eclipse Jetty - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6

Original Disclosure:

Hello Jersey Security Team,

Utilizing a custom CodeQL query written as a part of the GitHub Security Lab Bug Bounty program, I've unearthed a local temporary file information disclosure vulnerability.

You can see the custom CodeQL query utilized here: https://lgtm.com/query/8831016213790320486/

This particular vulnerability exists because on unix-like systems (not including modern versions of MacOS) the system temporary directory is shared between all users. As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.

This vulnerability impacts the following locations in this project's source:

  • https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/FileProvider.java#L64-L73
  • https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/media/multipart/src/main/java/org/glassfish/jersey/media/multipart/internal/FormDataParamValueParamProvider.java#L202-L208

This vulnerability exists because of the vulnerability in the Utils.createTempFile:

https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java#L42-L53

This is because File.createTempFile creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system.

If there is sensitive information written to these files, it is disclosed to other local users on this system.

The fix for this vulnerability is to use the Files API (instead of the File API) to create temporary files/directories as this new API correctly sets the posix file permissions.

Severity ?
6.2 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.33"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.glassfish.jersey.core:jersey-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.28"
            },
            {
              "fixed": "2.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.glassfish.jersey.core:jersey-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-28168"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-378",
      "CWE-379",
      "CWE-668",
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-22T19:22:31Z",
    "nvd_published_at": "2021-04-22T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\nEclipse Jersey 2.28 - 2.33 and Eclipse Jersey 3.0.0 - 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the `File.createTempFile` which creates a file inside of the system temporary directory with the permissions: `-rw-r--r--`. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.\n\n## Workaround\n\nThis issue can be mitigated by manually setting the `java.io.tmpdir` system property when launching the JVM.\n\n## Patches\n\nJersey 2.34 and 3.0.2 forward sets the correct permissions on the temporary file created by Jersey.\n\n### References\n \n - https://github.com/eclipse-ee4j/jersey/pull/4712\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n\n## Similar Vulnerabilities\n\nSimilar, but not the same:\n\n - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\n - Google Guava - https://github.com/google/guava/issues/4011\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\n - Eclipse Jetty - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\n\n\n---\n\nOriginal Disclosure:\n\n\u003e Hello Jersey Security Team,\n\u003e \n\u003e Utilizing a custom CodeQL query written as a part of the [GitHub Security Lab](https://securitylab.github.com/) [Bug Bounty program](https://securitylab.github.com/bounties), I\u0027ve unearthed a local temporary file information disclosure vulnerability.\n\u003e \n\u003e You can see the custom CodeQL query utilized here:\n\u003e https://lgtm.com/query/8831016213790320486/\n\u003e \n\u003e This particular vulnerability exists because on unix-like systems (not including modern versions of MacOS) the system temporary directory is shared between all users. As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.\n\u003e \n\u003e This vulnerability impacts the following locations in this project\u0027s source:\n\u003e \n\u003e  - https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/FileProvider.java#L64-L73\n\u003e  - https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/media/multipart/src/main/java/org/glassfish/jersey/media/multipart/internal/FormDataParamValueParamProvider.java#L202-L208\n\u003e \n\u003e This vulnerability exists because of the vulnerability in the `Utils.createTempFile`:\n\u003e \n\u003e https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java#L42-L53\n\u003e \n\u003e This is because `File.createTempFile` creates a file inside of the system temporary directory with the permissions: `-rw-r--r--`. Thus the contents of this file are viewable by all other users locally on the system.\n\u003e \n\u003e If there is sensitive information written to these files, it is disclosed to other local users on this system.\n\u003e \n\u003e The fix for this vulnerability is to use the `Files` API (instead of the `File` API) to create temporary files/directories as this new API correctly sets the posix file permissions.",
  "id": "GHSA-c43q-5hpj-4crv",
  "modified": "2021-04-22T19:22:31Z",
  "published": "2021-04-23T16:55:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28168"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-ee4j/jersey/pull/4712"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc@%3Cdev.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1@%3Ccommits.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359@%3Cdev.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa@%3Ccommits.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Local information disclosure via system temporary directory"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.