CVE-2022-24823
Information Disclosure vulnerability in netty-codec-http (Maven)
What is CVE-2022-24823 About?
This vulnerability is an Information Disclosure flaw in Netty's multipart decoders, an insufficient fix for CVE-2021-21290, which allows temporary files created during multipart uploads to retain insecure permissions. This can lead to local information disclosure on Unix-like systems, primarily impacting applications running on Java 6 or lower, with moderate exploitation ease.
Affected Software
Technical Details
The Netty library's multipart decoders, when configured to store uploads on disk, create temporary files. A previous fix (CVE-2021-21290) was incomplete, leaving a legacy logic path vulnerable. Specifically, when File.createTempFile(prefix, suffix) is called without a directory argument (i.e., directory is null), and the Java version is 6 or lower, the temporary file created in the system's temporary directory retains default permissions that make it readable by all local users. This exposes the content of uploaded files, which could contain sensitive information, to any authenticated local user on the system, particularly on Unix-like systems and older Mac OS/Windows versions where /tmp is shared among users.
What is the Impact of CVE-2022-24823?
Successful exploitation may allow local attackers to read sensitive information contained within temporary uploaded files, leading to a breach of data confidentiality.
What is the Exploitability of CVE-2022-24823?
Exploitation complexity is moderate. It requires local access to the affected system. Prerequisites include the application using Netty's multipart decoders, enabling temporary disk storage for uploads, and running on Java version 6 or lower. An authenticated local user with basic privileges can read these insecurely created temporary files. This is a purely local vulnerability. Special conditions include the operating system sharing its temporary directory among all users (common on Unix-like systems) and the application not explicitly setting a secure base directory for temporary files. Risk factors increase if the application handles sensitive file uploads or if the server environment is shared among multiple untrusted users.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-24823?
Available Upgrade Options
- io.netty:netty-codec-http
- <4.1.77.Final → Upgrade to 4.1.77.Final
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://osv.dev/vulnerability/GHSA-269q-hmxg-m83q
- https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
- https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1
- https://security.netapp.com/advisory/ntap-20220616-0004
- https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1
- https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://security.netapp.com/advisory/ntap-20220616-0004/
What are Similar Vulnerabilities to CVE-2022-24823?
Similar Vulnerabilities: CVE-2021-21290 , CVE-2018-1000180 , CVE-2020-11987 , CVE-2019-10086 , CVE-2018-1284
