Information Disclosure Affecting io.netty:netty-testsuite Open this link in a new tab package, versions [4.0.0.Final, 4.1.59.Final)


0.0
medium
  • Attack Complexity

    Low

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-IONETTY-1082237

  • published

    9 Feb 2021

  • disclosed

    9 Feb 2021

  • credit

    Jonathan Leitschuh

How to fix?

Upgrade io.netty:netty-testsuite to version 4.1.59.Final or higher.

Overview

Affected versions of this package are vulnerable to Information Disclosure via the AbstractDiskHttpData method, and on Unix-like systems.

When netty's multipart decoders are used, local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk are enabled. On unix-like systems, the temporary directory is shared between all users. As such, writing to this directory using API's that do not explicitly set the file/directory permissions can lead to information disclosure. The method File.createTempFile on unix-like systems creates a random file, but, by default will create this file with the permissions -rw-r--r--. Sensitive information is written to this file in AbstractDiskHttpData, and other local users can read it.

References