GHSA-9295-mhf3-v33m

Source

https://github.com/advisories/GHSA-9295-mhf3-v33m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-9295-mhf3-v33m/GHSA-9295-mhf3-v33m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9295-mhf3-v33m

Aliases

CVE-2021-28099

Published

2021-03-29T18:25:26Z

Modified

2024-02-16T08:10:15.734375Z

Severity

4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Insecure temporary file in Netflix OSS Hollow

Details

ID: NFLX-2021-001 Title: Local information disclosure in Hollow Release Date: 2021-03-23 Credit: Security Researcher @JLLeitschuh

Overview

Security researcher @JLLeitschuh reported that Netflix Hollow (a Netflix OSS project available here: https://github.com/Netflix/hollow) writes to a local temporary directory before validating the permissions on it.

Impact

An attacker with the ability to create directories and set permissions on the local filesystem could pre-create this directory and read or modify anything written there by the Hollow process.

Description

Since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.

Workarounds and Fixes

Avoid running Hollow in configurations that share a filesystem with less-trusted processes. May be fixed in a future release.

Database specific

{
    "nvd_published_at": "2021-03-23T21:15:00Z",
    "cwe_ids": [
        "CWE-377"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-24T23:39:18Z"
}

References

Affected packages

Maven / com.netflix.hollow:hollow

Package

Name: com.netflix.hollow:hollow; View open source insights on deps.dev
Purl: pkg:maven/com.netflix.hollow/hollow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

6.1.0

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.1.0

2.1.1

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.3.0

2.3.1

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.6.0

2.6.1

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

2.6.11

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.9.9

2.10.0

2.11.0

2.11.1

2.12.0

2.14.0

2.14.1

2.15.0

2.15.1

2.15.2

2.16.0

2.16.1

2.16.3

2.16.4

2.16.5

2.16.6

2.16.7

2.17.1

3.*

3.0.0

3.0.1

3.0.2

3.1.0

3.2.0

3.3.0

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.1.0

4.1.1

4.2.0

4.2.1

4.2.2

4.2.3

4.3.0

4.4.0

4.5.0

4.6.0

4.6.1

4.6.2

4.6.3

4.6.4

4.7.0

4.7.1

4.7.2

4.7.3

4.7.4

4.7.5

4.7.6

4.7.7

4.7.8

4.7.9

4.7.10

4.7.11

4.7.12

4.7.13

4.8.0

4.8.1

4.8.2

4.8.3

4.8.4

4.9.0

4.9.1

4.9.3

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.1.0

5.1.1

5.1.2

5.1.3

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

6.*

6.0.0

6.1.0