CVE-2021-28100 – com.netflix.priam:priam

Package

Manager: maven
Name: com.netflix.priam:priam
Vulnerable Version: >=0 <=3.1.104

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00044 pctl0.12682

Details

Netflix/Priam: Temporary Directory Information Disclosure ### Impact When `File.createTempFile` creates a file, the permissions on that file are -rw-r--r--. This means that other users can read the contents of these files after they are written, although they can not modify the contents. This allows for local information disclosure if these files contain sensitive information. Vulnerable locations: - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/backup/MetaData.java#L106-L111 - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/identity/DoubleRing.java#L109-L118 - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/restore/PostRestoreHook.java#L80-L86 --- The custom CodeQL queries leveraged to find these this as well as their results can be found here: https://lgtm.com/query/1543383251073929777/ https://lgtm.com/query/3142895023158674709/ ## Official Disclosure https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md ## Fix There are no fixed versions.

Metadata

Created: 2021-03-30T16:23:12Z
Modified: 2021-03-30T16:22:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f4jh-ww96-9h9j/GHSA-f4jh-ww96-9h9j.json
CWE IDs: ["CWE-377"]
Alternative ID: GHSA-f4jh-ww96-9h9j
Finding: F028
Auto approve: 1