GHSA-f4jh-ww96-9h9j

Suggest an improvement
Source
https://github.com/advisories/GHSA-f4jh-ww96-9h9j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f4jh-ww96-9h9j/GHSA-f4jh-ww96-9h9j.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-f4jh-ww96-9h9j
Aliases
  • CVE-2021-28100
Published
2021-03-30T16:23:12Z
Modified
2023-11-01T04:54:58.838548Z
Severity
  • 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Netflix/Priam: Temporary Directory Information Disclosure
Details

Impact

When File.createTempFile creates a file, the permissions on that file are -rw-r--r--. This means that other users can read the contents of these files after they are written, although they can not modify the contents. This allows for local information disclosure if these files contain sensitive information.

Vulnerable locations: - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/backup/MetaData.java#L106-L111 - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/identity/DoubleRing.java#L109-L118 - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/restore/PostRestoreHook.java#L80-L86


The custom CodeQL queries leveraged to find these this as well as their results can be found here:

https://lgtm.com/query/1543383251073929777/ https://lgtm.com/query/3142895023158674709/

Official Disclosure

https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md

Fix

There are no fixed versions.

Database specific
{
    "nvd_published_at": "2021-03-23T21:15:00Z",
    "github_reviewed_at": "2021-03-30T16:22:43Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-377"
    ]
}
References

Affected packages

Maven / com.netflix.priam:priam

Package

Name
com.netflix.priam:priam
View open source insights on deps.dev
Purl
pkg:maven/com.netflix.priam/priam

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
3.1.104

Affected versions

1.*

1.1.20
1.1.36
1.1.37
1.1.51
1.1.52
1.1.53
1.1.54
1.1.56

2.*

2.0.5
2.0.6
2.0.7
2.0.16
2.1.0
2.2.0
2.3.0
2.4.0
2.5.0
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.8.0
2.8.1
2.8.2
2.8.3

3.*

3.0.0
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.18
3.1.19
3.1.20
3.1.21
3.1.22
3.1.23
3.1.24
3.1.25
3.1.26
3.1.27
3.1.28
3.1.29
3.1.30
3.1.31
3.1.32
3.1.33
3.1.35
3.1.36
3.1.37
3.1.38
3.1.39
3.1.40
3.1.41
3.1.42
3.1.43
3.1.44
3.1.45
3.1.46
3.1.48
3.1.49
3.1.50
3.1.51
3.1.52
3.1.53
3.1.55
3.1.56
3.1.57
3.1.58
3.1.59
3.1.60
3.1.61
3.1.62
3.1.63
3.1.64
3.1.65
3.1.66
3.1.67
3.1.68
3.1.69
3.1.70
3.1.71
3.1.72
3.1.73
3.1.74
3.1.75
3.1.76
3.1.78
3.1.79
3.1.80
3.1.81
3.1.82
3.1.83
3.1.85
3.1.86
3.1.87
3.1.90
3.1.91
3.1.93
3.1.95
3.1.96
3.1.97
3.1.99
3.1.101
3.1.102
3.1.103
3.1.104