Netflix/Priam: Temporary Directory Information Disclosure
Moderate severity
GitHub Reviewed
Published
Mar 30, 2021
in
JLLeitschuh/security-research
•
Updated Feb 1, 2023
Description
Published by the National Vulnerability Database
Mar 23, 2021
Reviewed
Mar 30, 2021
Published to the GitHub Advisory Database
Mar 30, 2021
Last updated
Feb 1, 2023
Impact
When
File.createTempFile
creates a file, the permissions on that file are -rw-r--r--. This means that other users can read the contents of these files after they are written, although they can not modify the contents. This allows for local information disclosure if these files contain sensitive information.Vulnerable locations:
The custom CodeQL queries leveraged to find these this as well as their results can be found here:
https://lgtm.com/query/1543383251073929777/
https://lgtm.com/query/3142895023158674709/
Official Disclosure
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md
Fix
There are no fixed versions.
References