Oracle PeopleSoft Enterprise PeopleTools 8.57/8.58/8.59 Netty information disclosure

Podatność, która została odkryta w Oracle PeopleSoft Enterprise PeopleTools 8.57/8.58/8.59 (Enterprise Resource Planning Software). Podatnością dotknięta jest nieznana funkcja w komponencie Netty. Aktualizacja eliminuje tę podatność. Potencjalne zabezpieczenie zostało opublikowane po ujawnieniu podatności.

Oś czasu

Użytkownik

125
018

Pole

advisory_confirm_url1
source_cve_nvd_summary1
source_cve_assigned1
exploit_price_0day1
vulnerability_cvss3_meta_tempscore1

Commit Conf

90%30
50%10
70%3

Approve Conf

90%30
80%10
70%3
IDZaangażowanyUżytkownikPoleZmianaUwagiPrzyjętyPowódC
114686792021-07-25VulD...confirm_urlhttps://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2cve.mitre.org2021-07-25przyjęty
70
114686782021-07-25VulD...cve_nvd_summaryNetty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.cve.mitre.org2021-07-25przyjęty
70
114686772021-07-25VulD...cve_assigned1608591600 (2020-12-22)cve.mitre.org2021-07-25przyjęty
70
114483832021-07-21VulD...price_0day$0-$5ksee exploit price documentation2021-07-21przyjęty
90
114483822021-07-21VulD...cvss3_meta_tempscore5.3see CVSS documentation2021-07-21przyjęty
90
114483812021-07-21VulD...cvss3_meta_basescore5.5see CVSS documentation2021-07-21przyjęty
90
114483802021-07-21VulD...cvss3_vuldb_tempscore5.3see CVSS documentation2021-07-21przyjęty
90
114483792021-07-21VulD...cvss3_vuldb_basescore5.5see CVSS documentation2021-07-21przyjęty
90
114483782021-07-21VulD...cvss2_vuldb_tempscore4.0see CVSS documentation2021-07-21przyjęty
90
114483772021-07-21VulD...cvss2_vuldb_basescore4.6see CVSS documentation2021-07-21przyjęty
90
114483762021-07-21VulD...cvss3_vuldb_eXderived from historical data2021-07-21przyjęty
80
114483752021-07-21VulD...cvss2_vuldb_eNDderived from historical data2021-07-21przyjęty
80
114483742021-07-21VulD...cvss2_vuldb_auSderived from historical data2021-07-21przyjęty
80
114483732021-07-21VulD...cvss2_vuldb_rlOFderived from vuldb v3 vector2021-07-21przyjęty
80
114483722021-07-21VulD...cvss2_vuldb_rcCderived from vuldb v3 vector2021-07-21przyjęty
80
114483712021-07-21VulD...cvss2_vuldb_aiNderived from vuldb v3 vector2021-07-21przyjęty
80
114483702021-07-21VulD...cvss2_vuldb_iiNderived from vuldb v3 vector2021-07-21przyjęty
80
114483692021-07-21VulD...cvss2_vuldb_ciCderived from vuldb v3 vector2021-07-21przyjęty
80
114483682021-07-21VulD...cvss2_vuldb_acLderived from vuldb v3 vector2021-07-21przyjęty
80
114483672021-07-21VulD...cvss2_vuldb_avLderived from vuldb v3 vector2021-07-21przyjęty
80

23 więcej wpisów nie jest pokazywanych

Do you know our Splunk app?

Download it now for free!