Описание
Netflix/Priam: Temporary Directory Information Disclosure
Impact
When File.createTempFile creates a file, the permissions on that file are -rw-r--r--. This means that other users can read the contents of these files after they are written, although they can not modify the contents. This allows for local information disclosure if these files contain sensitive information.
Vulnerable locations:
- https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/backup/MetaData.java#L106-L111
- https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/identity/DoubleRing.java#L109-L118
- https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/restore/PostRestoreHook.java#L80-L86
The custom CodeQL queries leveraged to find these this as well as their results can be found here:
https://lgtm.com/query/1543383251073929777/ https://lgtm.com/query/3142895023158674709/
Official Disclosure
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md
Fix
There are no fixed versions.
Пакеты
com.netflix.priam:priam
<= 3.1.104
Отсутствует
Связанные уязвимости
Priam uses File.createTempFile, which gives the permissions on that file -rw-r--r--. An attacker with read access to the local filesystem can read anything written there by the Priam process.