Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTkyOTUtbWhmMy12MzNt
Insecure temporary file in Netflix OSS Hollow
ID: NFLX-2021-001
Title: Local information disclosure in Hollow
Release Date: 2021-03-23
Credit: Security Researcher @JLLeitschuh
Overview
Security researcher @JLLeitschuh reported that Netflix Hollow (a Netflix OSS project available here: https://github.com/Netflix/hollow) writes to a local temporary directory before validating the permissions on it.
Impact
An attacker with the ability to create directories and set permissions on the local filesystem could pre-create this directory and read or modify anything written there by the Hollow process.
Description
Since the Files.exists(parent)
is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.
Workarounds and Fixes
Avoid running Hollow in configurations that share a filesystem with less-trusted processes. May be fixed in a future release.
Permalink: https://github.com/advisories/GHSA-9295-mhf3-v33mJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTkyOTUtbWhmMy12MzNt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: about 1 year ago
CVSS Score: 4.4
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-9295-mhf3-v33m, CVE-2021-28099
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-28099
- https://github.com/Netflix/hollow/issues/502
- https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md
- https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-j83w-7qr9-wv86
- https://github.com/advisories/GHSA-9295-mhf3-v33m
Blast Radius: 4.7
Affected Packages
maven:com.netflix.hollow:hollow
Dependent packages: 9Dependent repositories: 12
Downloads:
Affected Version Ranges: <= 6.1.0
No known fixed version
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.6.0, 2.6.1, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.10.0, 2.11.0, 2.11.1, 2.12.0, 2.14.0, 2.14.1, 2.15.0, 2.15.1, 2.15.2, 2.16.0, 2.16.1, 2.16.3, 2.16.4, 2.16.5, 2.16.6, 2.16.7, 2.17.1, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.7.8, 4.7.9, 4.7.10, 4.7.11, 4.7.12, 4.7.13, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4, 4.9.0, 4.9.1, 4.9.3, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 6.0.0, 6.1.0