Eclipse Jersey 2.28 - 2.33 and Eclipse Jersey 3.0.0 - 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the
File.createTempFile which creates a file inside of the system temporary directory with the permissions:
-rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.
This issue can be mitigated by manually setting the
java.io.tmpdir system property when launching the JVM.
Jersey 2.34 and 3.0.2 forward sets the correct permissions on the temporary file created by Jersey.
Similar, but not the same:
Hello Jersey Security Team,
You can see the custom CodeQL query utilized here: https://lgtm.com/query/8831016213790320486/
This particular vulnerability exists because on unix-like systems (not including modern versions of MacOS) the system temporary directory is shared between all users. As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.
This vulnerability impacts the following locations in this project's source:
This vulnerability exists because of the vulnerability in the
This is because
File.createTempFilecreates a file inside of the system temporary directory with the permissions:
-rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system.
If there is sensitive information written to these files, it is disclosed to other local users on this system.
The fix for this vulnerability is to use the
FilesAPI (instead of the
FileAPI) to create temporary files/directories as this new API correctly sets the posix file permissions.