Information Disclosure Affecting io.netty:netty-common package, versions [4.0.0.Final, 4.1.59.Final)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-IONETTY-1082234
- published 9 Feb 2021
- disclosed 9 Feb 2021
- credit Jonathan Leitschuh
Introduced: 9 Feb 2021
CVE-2021-21290 Open this link in a new tabHow to fix?
Upgrade io.netty:netty-common to version 4.1.59.Final or higher.
Overview
Affected versions of this package are vulnerable to Information Disclosure via the AbstractDiskHttpData method, and on Unix-like systems.
When netty's multipart decoders are used, local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk are enabled.
On unix-like systems, the temporary directory is shared between all users. As such, writing to this directory using API's that do not explicitly set the file/directory permissions can lead to information disclosure.
The method File.createTempFile on unix-like systems creates a random file, but, by default will create this file with the permissions -rw-r--r--. Sensitive information is written to this file in AbstractDiskHttpData, and other local users can read it.