CVE-2021-21290 — Creation of Temporary File With Insecure Permissions in Netty

CWE-378 — Creation of Temporary File With Insecure Permissions CWE-379 — Creation of Temporary File in Directory with Insecure Permissions CWE-668 — Resource Exposure CWE-200 — Sensitive Information Exposure12 documents8 sources

Severity

5.5MEDIUMNVD

CNA6.2GHSA6.2

EPSS

0.0%

top 92.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netty Oracle Nosql Database Quarkus +7 more

Timeline

PublishedFeb 8

Latest updateApr 28

Description

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory …

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages11 packages

▶CVEListV5netty/netty< 4.1.59.Final+1

▶NVDnetty/netty< 4.1.59

▶Debiannetty/netty< 1:4.1.48-2+3

▶NVDoracle/nosql_database< 20.3

▶NVDquarkus/quarkus1.13.7

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

netty vulnerabilities↗2023-04-28

▶

GHSA

Local Information Disclosure Vulnerability in io.netty:netty-codec-http↗2022-05-10

▶

CVEList

Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files↗2021-02-08

▶

GHSA

Local Information Disclosure Vulnerability in Netty on Unix-Like systems↗2021-02-08

▶

OSV

Local Information Disclosure Vulnerability in Netty on Unix-Like systems↗2021-02-08

▶

📋Vendor Advisories

Ubuntu

Netty vulnerabilities↗2023-04-28

▶

Red Hat

netty: world readable temporary file containing sensitive data↗2022-05-06

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Modeling (Netty) — CVE-2021-21290↗2021-07-15

▶

Red Hat

netty: Information disclosure via the local system temporary directory↗2021-02-09

▶

Debian

CVE-2021-21290: netty - Netty is an open-source, asynchronous event-driven network application framework...↗2021

▶