[
https://issues.apache.org/jira/browse/TINKERPOP-2535?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stephen Mallette closed TINKERPOP-2535.
---------------------------------------
Fix Version/s: 3.4.11
3.5.0
Assignee: Stephen Mallette
Resolution: Done
Thanks for bringing this to our attention - fixed for 3.4.11 and 3.5.0:
https://github.com/apache/tinkerpop/commit/3b0156073da68f5ba0f73d5e3242450c3750feec
> Netty 4.1.52 flagged as medium security violation
> -------------------------------------------------
>
> Key: TINKERPOP-2535
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2535
> Project: TinkerPop
> Issue Type: Improvement
> Components: server
> Affects Versions: 3.4.10
> Reporter: Dan Snoddy
> Assignee: Stephen Mallette
> Priority: Major
> Fix For: 3.5.0, 3.4.11
>
>
> Security scan software (twistlock) flags netty-all-4.1.52.Final.jar as a
> medium security violation:
> MEDIUM:
> {color:#000000}Attack complexity: low,Has fix,Medium severity,Recent
> vulnerability
> {color}{color:#000000}CVE-2021-21290{color}
> {color:#000000}[+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21290+]{color}
> {color:#000000}Netty is an open-source, asynchronous event-driven network
> application framework for rapid development of maintainable high performance
> protocol servers & clients. In Netty before version 4.1.59.Final there is a
> vulnerability on Unix-like systems involving an insecure temp file. When
> netty\'s multipart decoders are used local information disclosure can occur
> via the local system temporary directory if temporary storing uploads on the
> disk is enabled. On unix-like systems, the temporary directory is shared
> between all user. As such, writing to this directory using APIs that do not
> explicitly set the file/directory permissions can lead to information
> disclosure. Of note, this does not impact modern MacOS Operating Systems. The
> method 'File.createTempFile' on unix-like systems creates a random file, but,
> by default will create this file with the permissions '-rw-r--r--'. Thus, if
> sensitive information is written to this file, other local users can read
> this information. This is the case in netty\'s 'AbstractDiskHttpData' is
> vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one
> may specify your own 'java.io.tmpdir' when you start the JVM or use
> 'DefaultHttpDataFactory.setBaseDir(...)' to set the directory to something
> that is only readable by the current user.{color}
> {color:#000000} {color}
> The scan report shows that the issue is addressed in version 4.1.59. Is there
> a plan to upgrade it?
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
