Skip to content

Creation of Temporary File With Insecure Permissions in org.nanohttpd:nanohttpd

Moderate
JLLeitschuh published GHSA-2r85-x9cf-8fcg Apr 6, 2022

Package

maven org.nanohttpd:nanohttpd (Maven)

Affected versions

<=2.3.1

Patched versions

None

Description

Patches

No patches are available. The maintainers have been unresponsive. It may be appropriate to consider this project unmaintained at this point.

Impact

The org.nanohttpd.protocols.http.tempfiles.DefaultTempFileManager & org.nanohttpd.protocols.http.tempfiles.DefaultTempFile contain a local temporary file information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. As such, files written to that directory without setting the correct file permissions can allow other users on that system to view the contents of the files written to those temporary files.

Vulnerability Locations

Whenever an HTTP Session is parsing the body of an HTTP request, the body of the request is written to a RandomAccessFile when the body is larger than 1024 bytes. Unfortunately, RandomAccessFile is created using a temporary file which is created with file permissions that allow it's contents to be viewed by all users on the host machine.

https://github.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a01e81/core/src/main/java/org/nanohttpd/protocols/http/HTTPSession.java#L611-L617

Workarounds

Manually specifying the -Djava.io.tmpdir= argument when launching Java to set set the temporary directory to a directory exclusively controlled by the current user can fix this issue.

References

Severity

Moderate
5.5
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2022-21230

Weaknesses

Credits