Oracle PeopleSoft Enterprise PeopleTools 8.57/8.58/8.59 Netty information disclosure

A vulnerability was found in Oracle PeopleSoft Enterprise PeopleTools 8.57/8.58/8.59 (Enterprise Resource Planning Software). It has been declared as critical. This vulnerability affects some unknown processing of the component Netty. Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

User

125
018

Field

advisory_confirm_url1
source_cve_nvd_summary1
source_cve_assigned1
exploit_price_0day1
vulnerability_cvss3_meta_tempscore1

Commit Conf

90%30
50%10
70%3

Approve Conf

90%30
80%10
70%3
IDCommitedUserFieldChangeRemarksAcceptedReasonC
1146867907/25/2021VulD...confirm_urlhttps://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2cve.mitre.org07/25/2021accepted
70
1146867807/25/2021VulD...cve_nvd_summaryNetty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.cve.mitre.org07/25/2021accepted
70
1146867707/25/2021VulD...cve_assigned1608591600cve.mitre.org07/25/2021accepted
70
1144838307/21/2021VulD...price_0day$0-$5ksee exploit price documentation07/21/2021accepted
90
1144838207/21/2021VulD...cvss3_meta_tempscore5.3see CVSS documentation07/21/2021accepted
90
1144838107/21/2021VulD...cvss3_meta_basescore5.5see CVSS documentation07/21/2021accepted
90
1144838007/21/2021VulD...cvss3_vuldb_tempscore5.3see CVSS documentation07/21/2021accepted
90
1144837907/21/2021VulD...cvss3_vuldb_basescore5.5see CVSS documentation07/21/2021accepted
90
1144837807/21/2021VulD...cvss2_vuldb_tempscore4.0see CVSS documentation07/21/2021accepted
90
1144837707/21/2021VulD...cvss2_vuldb_basescore4.6see CVSS documentation07/21/2021accepted
90
1144837607/21/2021VulD...cvss3_vuldb_eXderived from historical data07/21/2021accepted
80
1144837507/21/2021VulD...cvss2_vuldb_eNDderived from historical data07/21/2021accepted
80
1144837407/21/2021VulD...cvss2_vuldb_auSderived from historical data07/21/2021accepted
80
1144837307/21/2021VulD...cvss2_vuldb_rlOFderived from vuldb v3 vector07/21/2021accepted
80
1144837207/21/2021VulD...cvss2_vuldb_rcCderived from vuldb v3 vector07/21/2021accepted
80
1144837107/21/2021VulD...cvss2_vuldb_aiNderived from vuldb v3 vector07/21/2021accepted
80
1144837007/21/2021VulD...cvss2_vuldb_iiNderived from vuldb v3 vector07/21/2021accepted
80
1144836907/21/2021VulD...cvss2_vuldb_ciCderived from vuldb v3 vector07/21/2021accepted
80
1144836807/21/2021VulD...cvss2_vuldb_acLderived from vuldb v3 vector07/21/2021accepted
80
1144836707/21/2021VulD...cvss2_vuldb_avLderived from vuldb v3 vector07/21/2021accepted
80

23 more entries are not shown

Do you need the next level of professionalism?

Upgrade your account now!