Information Disclosure Affecting io.netty:netty-handler package, versions [4.0.0.Final, 4.1.59.Final)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-JAVA-IONETTY-1082235
- published 9 Feb 2021
- disclosed 9 Feb 2021
- credit Jonathan Leitschuh
How to fix?
io.netty:netty-handler to version 4.1.59.Final or higher.
io.netty:netty-handler is a library that provides an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Affected versions of this package are vulnerable to Information Disclosure via the
AbstractDiskHttpData method, and on Unix-like systems.
netty's multipart decoders are used, local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk are enabled.
On unix-like systems, the temporary directory is shared between all users. As such, writing to this directory using API's that do not explicitly set the file/directory permissions can lead to information disclosure.
File.createTempFile on unix-like systems creates a random file, but, by default will create this file with the permissions
-rw-r--r--. Sensitive information is written to this file in
AbstractDiskHttpData, and other local users can read it.