CVE-2021-28099

描述

> ID: NFLX-2021-001 > Title: Local information disclosure in Hollow > Release Date: 2021-03-23 > Credit: Security Researcher @JLLeitschuh # Overview Security researcher @JLLeitschuh reported that Netflix Hollow (a Netflix OSS project available here: https://github.com/Netflix/hollow) writes to a local temporary directory before validating the permissions on it. # Impact An attacker with the ability to create directories and set permissions on the local filesystem could pre-create this directory and read or modify anything written there by the Hollow process. # Description Since the `Files.exists(parent)` is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated. # Workarounds and Fixes Avoid running Hollow in configurations that share a filesystem with less-trusted processes. May be fixed in a future release.

如何修補 CVE-2021-28099

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

• —未列出修補版本

CVE-2021-28099 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, <= 6.1.0

CVSS 分數

參考連結(4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-28099
• WEBgithub.com/JLLeitschuh/security-research/security/advisories/GHSA-j83w-7qr9-wv86
• WEBgithub.com/Netflix/hollow/issues/502
• WEBgithub.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md