CVE-2022-21230

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-21230
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-21230.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-21230
Aliases
  • GHSA-2r85-x9cf-8fcg
  • SNYK-JAVA-ORGNANOHTTPD-2422798
Published
2022-05-01T16:15:08Z
Modified
2024-09-03T04:12:14.195502Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

This affects all versions of package org.nanohttpd:nanohttpd. Whenever an HTTP Session is parsing the body of an HTTP request, the body of the request is written to a RandomAccessFile when the it is larger than 1024 bytes. This file is created with insecure permissions that allow its contents to be viewed by all users on the host machine. Workaround: Manually specifying the -Djava.io.tmpdir= argument when launching Java to set the temporary directory to a directory exclusively controlled by the current user can fix this issue.

References

Affected packages

Git / github.com/nanohttpd/nanohttpd

Affected ranges

Type
GIT
Repo
https://github.com/nanohttpd/nanohttpd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

2.*

2.0.0-Release

Release-2.*

Release-2.0.2
Release-2.0.3
Release-2.0.4
Release-2.0.5
Release-2.1.0

nanohttpd-project-2.*

nanohttpd-project-2.2.0
nanohttpd-project-2.3.0
nanohttpd-project-2.3.1

v1.*

v1.25