CVE-2022-21230

Incorrect Permission Assignment for Critical Resource in maven/org.nanohttpd/nanohttpd

Identifiers

CVE-2022-21230, GHSA-2r85-x9cf-8fcg

Package Slug

maven/org.nanohttpd/nanohttpd

Vulnerability

Incorrect Permission Assignment for Critical Resource

Description

Whenever an HTTP Session is parsing the body of an HTTP request, the body of the request is written to a RandomAccessFile when the it is larger than 1024 bytes. This file is created with insecure permissions that allow its contents to be viewed by all users on the host machine. Workaround: Manually specifying the -Djava.io.tmpdir= argument when launching Java to set the temporary directory to a directory exclusively controlled by the current user can fix this issue.

Affected Versions

All versions up to 2.3.1

Solution

Unfortunately, there is no solution available yet.

Last Modified

2022-05-13

source