CVE-2022-24823: Creation of Temporary File With Insecure Permissions

May 6, 2022 (updated June 21, 2023)

When netty’s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. This vulnerability is caused by an insufficient fix of CVE-2021-21290.

References

github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1
github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
nvd.nist.gov/vuln/detail/CVE-2022-24823

Detect and mitigate CVE-2022-24823 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →