Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWM0M3EtNWhwai00Y3J2
Local information disclosure via system temporary directory
Impact
Eclipse Jersey 2.28 - 2.33 and Eclipse Jersey 3.0.0 - 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile
which creates a file inside of the system temporary directory with the permissions: -rw-r--r--
. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.
Workaround
This issue can be mitigated by manually setting the java.io.tmpdir
system property when launching the JVM.
Patches
Jersey 2.34 and 3.0.2 forward sets the correct permissions on the temporary file created by Jersey.
References
- https://github.com/eclipse-ee4j/jersey/pull/4712
- CWE-378: Creation of Temporary File With Insecure Permissions
- CWE-379: Creation of Temporary File in Directory with Insecure Permissions
Similar Vulnerabilities
Similar, but not the same:
- JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp
- Google Guava - https://github.com/google/guava/issues/4011
- Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945
- JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824
- Eclipse Jetty - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6
Original Disclosure:
Permalink: https://github.com/advisories/GHSA-c43q-5hpj-4crvHello Jersey Security Team,
Utilizing a custom CodeQL query written as a part of the GitHub Security Lab Bug Bounty program, I've unearthed a local temporary file information disclosure vulnerability.
You can see the custom CodeQL query utilized here:
https://lgtm.com/query/8831016213790320486/This particular vulnerability exists because on unix-like systems (not including modern versions of MacOS) the system temporary directory is shared between all users. As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.
This vulnerability impacts the following locations in this project's source:
- https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/FileProvider.java#L64-L73
- https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/media/multipart/src/main/java/org/glassfish/jersey/media/multipart/internal/FormDataParamValueParamProvider.java#L202-L208
This vulnerability exists because of the vulnerability in the
Utils.createTempFile
:This is because
File.createTempFile
creates a file inside of the system temporary directory with the permissions:-rw-r--r--
. Thus the contents of this file are viewable by all other users locally on the system.If there is sensitive information written to these files, it is disclosed to other local users on this system.
The fix for this vulnerability is to use the
Files
API (instead of theFile
API) to create temporary files/directories as this new API correctly sets the posix file permissions.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWM0M3EtNWhwai00Y3J2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: over 1 year ago
CVSS Score: 6.2
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-c43q-5hpj-4crv, CVE-2021-28168
References:
- https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv
- https://nvd.nist.gov/vuln/detail/CVE-2021-28168
- https://github.com/eclipse-ee4j/jersey/pull/4712
- https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa@%3Ccommits.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1@%3Ccommits.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/advisories/GHSA-c43q-5hpj-4crv
Blast Radius: 23.4
Affected Packages
maven:org.glassfish.jersey.core:jersey-common
Dependent packages: 948Dependent repositories: 5,972
Downloads:
Affected Version Ranges: >= 3.0.0, <= 3.0.1, >= 2.28, <= 2.33
Fixed in: 3.0.2, 2.34
All affected versions: 2.29.1, 2.30.1, 3.0.0, 3.0.1
All unaffected versions: 2.0.1, 2.3.1, 2.4.1, 2.5.1, 2.5.2, 2.9.1, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.21.1, 2.22.1, 2.22.2, 2.22.3, 2.22.4, 2.23.1, 2.23.2, 2.24.1, 2.25.1, 2.39.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6