GHSA-269q-hmxg-m83q

Опубликовано: 10 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 5.5

Описание

Local Information Disclosure Vulnerability in io.netty:netty-codec-http

Description

GHSA-5mcr-gq6c-3hq2 (CVE-2021-21290) contains an insufficient fix for the vulnerability identified.

Impact

When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.

This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.

Vulnerability Details

To fix the vulnerability the code was changed to the following:

@SuppressJava6Requirement(reason = "Guarded by version check") public static File createTempFile(String prefix, String suffix, File directory) throws IOException { if (javaVersion() >= 7) { if (directory == null) { return Files.createTempFile(prefix, suffix).toFile(); } return Files.createTempFile(directory.toPath(), prefix, suffix).toFile(); } if (directory == null) { return File.createTempFile(prefix, suffix); } File file = File.createTempFile(prefix, suffix, directory); // Try to adjust the perms, if this fails there is not much else we can do... file.setReadable(false, false); file.setReadable(true, true); return file; }

Unfortunately, this logic path was left vulnerable:

if (directory == null) { return File.createTempFile(prefix, suffix); }

This file is still readable by all local users.

Patches

Update to 4.1.77.Final

Workarounds

Specify your own java.io.tmpdir when you start the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user or update to Java 7 or above.

References

For more information

If you have any questions or comments about this advisory:

Open an issue in netty

Ссылки

Пакеты

Наименование

io.netty:netty-codec-http

maven

Затронутые версииВерсия исправления

<= 4.1.76.Final

4.1.77.Final

EPSS

Процентиль: 52%

0.00285

Низкий

5.5 Medium

CVSS3

CVE ID

CVE-2022-24823

Дефекты

CWE-378

CWE-379

CWE-668

Связанные уязвимости

CVE-2022-24823

CVSS3: 5.5

ubuntu

больше 3 лет назад

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

CVE-2022-24823

CVSS3: 5.5

redhat

больше 3 лет назад

CVE-2022-24823

CVSS3: 5.5

nvd

больше 3 лет назад

CVE-2022-24823

CVSS3: 5.5

debian

больше 3 лет назад

Netty is an open-source, asynchronous event-driven network application ...

BDU:2023-08651

CVSS3: 5.5

fstec

больше 3 лет назад

Уязвимость пакета io.netty: netty-codec-http сетевого программного средства Netty, позволяющая нарушителю раскрыть защищаемую информацию

EPSS

Процентиль: 52%

0.00285

Низкий

5.5 Medium

CVSS3

CVE ID

CVE-2022-24823

Дефекты

CWE-378

CWE-379

CWE-668