CVE-2021-21290: Creation of Temporary File With Insecure Permissions

February 8, 2021 (updated June 21, 2023)

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers. There is a vulnerability on Unix-like systems involving an insecure temp file. When netty’s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.

References

github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec
github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
nvd.nist.gov/vuln/detail/CVE-2021-21290

Detect and mitigate CVE-2021-21290 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →