CVE-2021-21290
Information Disclosure vulnerability in netty-codec-http (Maven)
What is CVE-2021-21290 About?
This vulnerability in Netty's multipart decoders allows for local information disclosure on Unix-like systems when temporary file uploads are enabled. Sensitive data written to insecurely permissioned temporary files can be read by other local users. Exploitation is easy, occurring automatically under specific configurations where temporary files are created with default insecure permissions.
Affected Software
Technical Details
The vulnerability lies within Netty's AbstractDiskHttpData class, which is used by DefaultHttpDataFactory and subsequently by HttpPostRequestDecoder and HttpPostMultiPartRequestDecoder for handling multipart HTTP requests with disk-based temporary storage. On Unix-like systems, File.createTempFile creates temporary files in the system's temporary directory (java.io.tmpdir) with default permissions of -rw-r--r--. This means any other local user on the system can read the contents of these files. When sensitive information from multipart uploads is written to these temporary files, it becomes readable by any local user, leading to information disclosure. Modern macOS is not affected due to its temporary directory handling.
What is the Impact of CVE-2021-21290?
Successful exploitation may allow local attackers to gain unauthorized access to sensitive information stored in insecurely permissioned temporary files. This can lead to the exposure of confidential data and potential privacy violations.
What is the Exploitability of CVE-2021-21290?
Exploitation of this Information Disclosure vulnerability is local and relatively low complexity, requiring no special authentication or privileges beyond being a local user on the affected system. The vulnerability is triggered automatically if the application uses Netty's multipart decoders with disk-based temporary storage enabled on a Unix-like system. The attacker needs only local access to the system's temporary directory to read the created files. Key conditions include the use of HttpPostRequestDecoder or HttpPostMultiPartRequestDecoder, which utilize AbstractDiskHttpData, and the default system temporary directory being shareable among users (i.e., not macOS). Risk factors are increased when sensitive user uploads are processed and temporarily stored on disk without explicitly setting secure file permissions or a dedicated, user-restricted temporary directory.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-21290?
Available Upgrade Options
- io.netty:netty-codec-http
- >4.0.0, <4.1.59.Final → Upgrade to 4.1.59.Final
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4%40%3Cdev.kafka.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E
- https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-21290?
Similar Vulnerabilities: CVE-2020-1945 , CVE-2020-15824 , CVE-2020-13939 , CVE-2021-22134 , CVE-2017-1000499
