Information Disclosure Affecting io.netty:netty-transport Open this link in a new tab package, versions [4.0.0.Final, 4.1.59.Final)
Do your applications use this vulnerable package?
9 Feb 2021
9 Feb 2021
How to fix?
io.netty:netty-transport to version 4.1.59.Final or higher.
Affected versions of this package are vulnerable to Information Disclosure via the
AbstractDiskHttpData method, and on Unix-like systems.
netty's multipart decoders are used, local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk are enabled.
On unix-like systems, the temporary directory is shared between all users. As such, writing to this directory using API's that do not explicitly set the file/directory permissions can lead to information disclosure.
File.createTempFile on unix-like systems creates a random file, but, by default will create this file with the permissions
-rw-r--r--. Sensitive information is written to this file in
AbstractDiskHttpData, and other local users can read it.