logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-24823 io.netty:netty-codec-http

Package

Manager: maven
Name: io.netty:netty-codec-http
Vulnerable Version: >=0 <4.1.77.final

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00285 pctl0.51622

Details

Local Information Disclosure Vulnerability in io.netty:netty-codec-http ### Description ### [GHSA-5mcr-gq6c-3hq2](https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2) (CVE-2021-21290) contains an insufficient fix for the vulnerability identified. ### Impact ### When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. ### Vulnerability Details ### To fix the vulnerability the code was changed to the following: ```java @SuppressJava6Requirement(reason = "Guarded by version check") public static File createTempFile(String prefix, String suffix, File directory) throws IOException { if (javaVersion() >= 7) { if (directory == null) { return Files.createTempFile(prefix, suffix).toFile(); } return Files.createTempFile(directory.toPath(), prefix, suffix).toFile(); } if (directory == null) { return File.createTempFile(prefix, suffix); } File file = File.createTempFile(prefix, suffix, directory); // Try to adjust the perms, if this fails there is not much else we can do... file.setReadable(false, false); file.setReadable(true, true); return file; } ``` Unfortunately, this logic path was left vulnerable: ```java if (directory == null) { return File.createTempFile(prefix, suffix); } ``` This file is still readable by all local users. ### Patches ### Update to 4.1.77.Final ### Workarounds ### Specify your own `java.io.tmpdir` when you start the JVM or use `DefaultHttpDataFactory.setBaseDir(...)` to set the directory to something that is only readable by the current user or update to Java 7 or above. ### References ### - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html) - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html) ### For more information ### If you have any questions or comments about this advisory: Open an issue in [netty](https://github.com/netty/netty)

Metadata

Created: 2022-05-10T08:46:50Z
Modified: 2022-05-10T08:46:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-269q-hmxg-m83q/GHSA-269q-hmxg-m83q.json
CWE IDs: ["CWE-378", "CWE-379", "CWE-668"]
Alternative ID: GHSA-269q-hmxg-m83q
Finding: F028
Auto approve: 1