GHSA-F4JH-WW96-9H9J
Vulnerability from github – Published: 2021-03-30 16:23 – Updated: 2021-03-30 16:22Impact
When File.createTempFile creates a file, the permissions on that file are -rw-r--r--. This means that other users can read the contents of these files after they are written, although they can not modify the contents. This allows for local information disclosure if these files contain sensitive information.
Vulnerable locations: - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/backup/MetaData.java#L106-L111 - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/identity/DoubleRing.java#L109-L118 - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/restore/PostRestoreHook.java#L80-L86
The custom CodeQL queries leveraged to find these this as well as their results can be found here:
https://lgtm.com/query/1543383251073929777/ https://lgtm.com/query/3142895023158674709/
Official Disclosure
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md
Fix
There are no fixed versions.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.netflix.priam:priam"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.1.104"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-28100"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-30T16:22:43Z",
"nvd_published_at": "2021-03-23T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen `File.createTempFile` creates a file, the permissions on that file are -rw-r--r--. This means that other users can read the contents of these files after they are written, although they can not modify the contents. This allows for local information disclosure if these files contain sensitive information.\n\nVulnerable locations:\n - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/backup/MetaData.java#L106-L111\n - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/identity/DoubleRing.java#L109-L118\n - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/restore/PostRestoreHook.java#L80-L86\n\n---\n\nThe custom CodeQL queries leveraged to find these this as well as their results can be found here:\n\nhttps://lgtm.com/query/1543383251073929777/\nhttps://lgtm.com/query/3142895023158674709/\n\n## Official Disclosure\n\nhttps://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md\n\n## Fix\n\nThere are no fixed versions.",
"id": "GHSA-f4jh-ww96-9h9j",
"modified": "2021-03-30T16:22:43Z",
"published": "2021-03-30T16:23:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-f4jh-ww96-9h9j"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Netflix/Priam: Temporary Directory Information Disclosure"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.