CVE-2021-28100
Netflix/Priam: Temporary Directory Information Disclosure
Description
### Impact When `File.createTempFile` creates a file, the permissions on that file are -rw-r--r--. This means that other users can read the contents of these files after they are written, although they can not modify the contents. This allows for local information disclosure if these files contain sensitive information. Vulnerable locations: - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/backup/MetaData.java#L106-L111 - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/identity/DoubleRing.java#L109-L118 - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/restore/PostRestoreHook.java#L80-L86 --- The custom CodeQL queries leveraged to find these this as well as their results can be found here: https://lgtm.com/query/1543383251073929777/ https://lgtm.com/query/3142895023158674709/ ## Official Disclosure https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md ## Fix There are no fixed versions.
How to fix CVE-2021-28100
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2021-28100 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, <= 3.1.104