Insecure temporary file in Netflix OSS Hollow
Moderate severity
GitHub Reviewed
Published
Mar 29, 2021
to the GitHub Advisory Database
•
Updated Aug 8, 2023
Description
Published by the National Vulnerability Database
Mar 23, 2021
Reviewed
Mar 24, 2021
Published to the GitHub Advisory Database
Mar 29, 2021
Last updated
Aug 8, 2023
Overview
Security researcher @JLLeitschuh reported that Netflix Hollow (a Netflix OSS project available here: https://github.com/Netflix/hollow) writes to a local temporary directory before validating the permissions on it.
Impact
An attacker with the ability to create directories and set permissions on the local filesystem could pre-create this directory and read or modify anything written there by the Hollow process.
Description
Since the
Files.exists(parent)
is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.Workarounds and Fixes
Avoid running Hollow in configurations that share a filesystem with less-trusted processes. May be fixed in a future release.
References