CVE-2021-28099

Description

> ID: NFLX-2021-001 > Title: Local information disclosure in Hollow > Release Date: 2021-03-23 > Credit: Security Researcher @JLLeitschuh # Overview Security researcher @JLLeitschuh reported that Netflix Hollow (a Netflix OSS project available here: https://github.com/Netflix/hollow) writes to a local temporary directory before validating the permissions on it. # Impact An attacker with the ability to create directories and set permissions on the local filesystem could pre-create this directory and read or modify anything written there by the Hollow process. # Description Since the `Files.exists(parent)` is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated. # Workarounds and Fixes Avoid running Hollow in configurations that share a filesystem with less-trusted processes. May be fixed in a future release.

How to fix CVE-2021-28099

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2021-28099 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, <= 6.1.0

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-28099
• WEBgithub.com/JLLeitschuh/security-research/security/advisories/GHSA-j83w-7qr9-wv86
• WEBgithub.com/Netflix/hollow/issues/502
• WEBgithub.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md