Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY0amgtd3c5Ni05aDlq
Netflix/Priam: Temporary Directory Information Disclosure
Impact
When File.createTempFile creates a file, the permissions on that file are -rw-r--r--. This means that other users can read the contents of these files after they are written, although they can not modify the contents. This allows for local information disclosure if these files contain sensitive information.
Vulnerable locations:
- https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/backup/MetaData.java#L106-L111
- https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/identity/DoubleRing.java#L109-L118
- https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/restore/PostRestoreHook.java#L80-L86
The custom CodeQL queries leveraged to find these this as well as their results can be found here:
https://lgtm.com/query/1543383251073929777/
https://lgtm.com/query/3142895023158674709/
Official Disclosure
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md
Fix
There are no fixed versions.
Permalink: https://github.com/advisories/GHSA-f4jh-ww96-9h9jJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY0amgtd3c5Ni05aDlq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: over 1 year ago
CVSS Score: 6.2
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-f4jh-ww96-9h9j, CVE-2021-28100
References:
- https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-f4jh-ww96-9h9j
- https://github.com/advisories/GHSA-f4jh-ww96-9h9j
Blast Radius: 3.0
Affected Packages
maven:com.netflix.priam:priam
Dependent packages: 4Dependent repositories: 3
Downloads:
Affected Version Ranges: <= 3.1.104
No known fixed version
All affected versions: 1.1.20, 1.1.36, 1.1.37, 1.1.51, 1.1.52, 1.1.53, 1.1.54, 1.1.56, 2.0.5, 2.0.6, 2.0.7, 2.0.16, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 3.0.0, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.18, 3.1.19, 3.1.20, 3.1.21, 3.1.22, 3.1.23, 3.1.24, 3.1.25, 3.1.26, 3.1.27, 3.1.28, 3.1.29, 3.1.30, 3.1.31, 3.1.32, 3.1.33, 3.1.35, 3.1.36, 3.1.37, 3.1.38, 3.1.39, 3.1.40, 3.1.41, 3.1.42, 3.1.43, 3.1.44, 3.1.45, 3.1.46, 3.1.48, 3.1.49, 3.1.50, 3.1.51, 3.1.52, 3.1.53, 3.1.55, 3.1.56, 3.1.57, 3.1.58, 3.1.59, 3.1.60, 3.1.61, 3.1.62, 3.1.63, 3.1.64, 3.1.65, 3.1.66, 3.1.67, 3.1.68, 3.1.69, 3.1.70, 3.1.71, 3.1.72, 3.1.73, 3.1.74, 3.1.75, 3.1.76, 3.1.78, 3.1.79, 3.1.80, 3.1.81, 3.1.82, 3.1.83, 3.1.85, 3.1.86, 3.1.87, 3.1.90, 3.1.91, 3.1.93, 3.1.95, 3.1.96, 3.1.97, 3.1.99, 3.1.101, 3.1.102, 3.1.103, 3.1.104