Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-24823

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

Published

2022-05-06T12:15:08.163

Last Modified

2024-11-21T06:51:10.620

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.5 (MEDIUM)

CVSSv2 Vector

AV:L/AC:M/Au:N/C:P/I:N/A:N

Access Vector: LOCAL
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

3.4

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-378
CWE-379
CWE-668
Type: Primary
CWE-668

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	netty	netty	< 4.1.77	Yes
Application	oracle	financial_services_crime_and_compliance_management_studio	8.0.8.2.0	Yes
Application	oracle	financial_services_crime_and_compliance_management_studio	8.0.8.3.0	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	oncommand_workflow_automation	-	Yes
Application	netapp	snapcenter	-	Yes

References

https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1 Patch, Third Party Advisory ([email protected])
https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q Exploit, Mitigation, Third Party Advisory ([email protected])
https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2 Exploit, Mitigation, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20220616-0004/ Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory ([email protected])
https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q Exploit, Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2 Exploit, Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20220616-0004/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujul2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)