Описание
Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.
Отчет
Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | jersey-core | Not affected | ||
| Red Hat CodeReady Studio 12 | org.glassfish.jersey.core.jersey-common | Will not fix | ||
| Red Hat Fuse 7 | jersey-common | Not affected | ||
| Red Hat Integration Service Registry | jersey-common | Will not fix | ||
| Red Hat JBoss Fuse 6 | jersey-common | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-metering-hadoop | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-metering-hive | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-metering-presto | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | opendaylight | Out of support scope | ||
| Red Hat OpenStack Platform 13 (Queens) | opendaylight | Will not fix |
Показывать по
Дополнительная информация
Статус:
6.2 Medium
CVSS3
Связанные уязвимости
Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.
Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.
Local information disclosure via system temporary directory
Уязвимость фреймворка Eclipse Jersey, связанная с созданием временных файлов с небезопасными разрешениями, позволяющая нарушителю раскрыть защищаемую информацию
6.2 Medium
CVSS3