CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
13.3%
GHSA-5mcr-gq6c-3hq2 (CVE-2021-21290) contains an insufficient fix for the vulnerability identified.
When netty’s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.
This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.
To fix the vulnerability the code was changed to the following:
@SuppressJava6Requirement(reason = "Guarded by version check")
public static File createTempFile(String prefix, String suffix, File directory) throws IOException {
if (javaVersion() >= 7) {
if (directory == null) {
return Files.createTempFile(prefix, suffix).toFile();
}
return Files.createTempFile(directory.toPath(), prefix, suffix).toFile();
}
if (directory == null) {
return File.createTempFile(prefix, suffix);
}
File file = File.createTempFile(prefix, suffix, directory);
// Try to adjust the perms, if this fails there is not much else we can do...
file.setReadable(false, false);
file.setReadable(true, true);
return file;
}
Unfortunately, this logic path was left vulnerable:
if (directory == null) {
return File.createTempFile(prefix, suffix);
}
This file is still readable by all local users.
Update to 4.1.77.Final
Specify your own java.io.tmpdir
when you start the JVM or use DefaultHttpDataFactory.setBaseDir(...)
to set the directory to something that is only readable by the current user or update to Java 7 or above.
If you have any questions or comments about this advisory:
Open an issue in netty
Vendor | Product | Version | CPE |
---|---|---|---|
io.netty | netty-codec-http | * | cpe:2.3:a:io.netty:netty-codec-http:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-269q-hmxg-m83q
github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1
github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
nvd.nist.gov/vuln/detail/CVE-2022-24823
security.netapp.com/advisory/ntap-20220616-0004/
www.oracle.com/security-alerts/cpujul2022.html
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
13.3%