Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2021-21290

Опубликовано: 08 фев. 2021
Источник: nvd
CVSS3: 6.2
CVSS3: 5.5
CVSS2: 1.9
EPSS Низкий

Описание

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
Версия до 4.1.59 (исключая)
Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Конфигурация 3
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
Версия до 1.13.7 (включая)
Конфигурация 4

Одно из

cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*
Версия до 20.3 (исключая)
Конфигурация 5

Одно из

cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*

EPSS

Процентиль: 6%
0.00024
Низкий

6.2 Medium

CVSS3

5.5 Medium

CVSS3

1.9 Low

CVSS2

Дефекты

CWE-378
CWE-668

Связанные уязвимости

ubuntu логотип

CVE-2021-21290

CVSS3: 6.2
ubuntu
почти 5 лет назад

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case...

redhat логотип

CVE-2021-21290

CVSS3: 6.2
redhat
почти 5 лет назад

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case...

debian логотип

CVE-2021-21290

CVSS3: 6.2
debian
почти 5 лет назад

Netty is an open-source, asynchronous event-driven network application ...

github логотип

GHSA-5mcr-gq6c-3hq2

CVSS3: 6.2
github
почти 5 лет назад

Local Information Disclosure Vulnerability in Netty on Unix-Like systems

fstec логотип

BDU:2022-00310

CVSS3: 5.5
fstec
почти 5 лет назад

Уязвимость сетевого программного средства Netty, связанная с созданием временных файлов с небезопасными разрешениями, позволяющая нарушителю получить доступ к конфиденциальным данным

EPSS

Процентиль: 6%
0.00024
Низкий

6.2 Medium

CVSS3

5.5 Medium

CVSS3

1.9 Low

CVSS2

Дефекты

CWE-378
CWE-668