Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Advisory

ID: NFLX-2021-002
Title: Local information disclosure in Priam
Release Date: 2021-03-23
Severity: Low
Credit: Security Researcher Jonathan Leitschuh

Overview:

Security researcher Jonathan Leitschuh reported that Netflix Priam (a Netflix OSS project available here: https://github.com/Netflix/Priam) writes to a local temporary file with world-readable permissions.

Impact:

An attacker with read access to the local filesystem can read anything written there by the Priam process.

Description:

Priam uses File.createTempFile, which gives the permissions on that file -rw-r--r--.

Further details are available from the original reporter.

Workarounds and Fixes

Avoid running Hollow in configurations that share a filesystem with less-trusted processes. May be fixed in a future release.