Advisory
ID: NFLX-2021-002
Title: Local information disclosure in Priam
Release Date: 2021-03-23
Severity: Low
Credit: Security Researcher Jonathan Leitschuh
Overview:
Security researcher Jonathan Leitschuh reported that Netflix Priam (a Netflix OSS project available here: https://github.com/Netflix/Priam) writes to a local temporary file with world-readable permissions.
Impact:
An attacker with read access to the local filesystem can read anything written there by the Priam process.
Description:
Priam uses File.createTempFile, which gives the permissions on that file -rw-r--r--.
Further details are available from the original reporter.
Workarounds and Fixes
Avoid running Hollow in configurations that share a filesystem with less-trusted processes. May be fixed in a future release.