CVE-2021-28168
Information Disclosure vulnerability in jersey-common (Maven)
What is CVE-2021-28168 About?
Eclipse Jersey versions 2.28 - 2.33 and 3.0.0 - 3.0.1 contain a local information disclosure vulnerability. This occurs because temporary files created using `File.createTempFile` have insecure permissions, allowing other local users to view their contents. Exploiting this is easy for any local attacker.
Affected Software
- org.glassfish.jersey.core:jersey-common
- >2.28, <2.34
- >3.0.0, <3.0.2
Technical Details
The vulnerability stems from the use of File.createTempFile within Eclipse Jersey (specifically in FileProvider.java, FormDataParamValueParamProvider.java, and Utils.java). On Unix-like systems (excluding modern macOS), the system temporary directory is shared among all local users. File.createTempFile creates files with default permissions of -rw-r--r--, meaning read access is granted to 'other' users. If sensitive data is written to these temporary files, any other local user on the same system can read its contents, leading to local information disclosure.
What is the Impact of CVE-2021-28168?
Successful exploitation may allow attackers to gain unauthorized access to sensitive information, leading to data breaches or further compromise.
What is the Exploitability of CVE-2021-28168?
Exploitation is local and requires an attacker to have local user access to the system. It is of low complexity and does not require authentication or elevated privileges beyond a standard user account. The attacker must be able to access the system's temporary directory. Any sensitive information processed by the vulnerable Jersey application and written to temporary files can be disclosed. The likelihood of exploitation increases in multi-user environments or systems where multiple applications share the same temporary directory without proper isolation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-28168?
Available Upgrade Options
- org.glassfish.jersey.core:jersey-common
- >2.28, <2.34 → Upgrade to 2.34
- org.glassfish.jersey.core:jersey-common
- >3.0.0, <3.0.2 → Upgrade to 3.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f@%3Cjira.kafka.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1@%3Ccommits.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa%40%3Ccommits.kafka.apache.org%3E
- https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4%40%3Cjira.kafka.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-28168?
Similar Vulnerabilities: CVE-2020-1945 , CVE-2020-15824 , CVE-2021-39147 , CVE-2022-26612 , CVE-2022-30048
