netty netty CVE-2022-24823 vulnerability in Netty and Other Products
Published on May 6, 2022

Local Information Disclosure Vulnerability in io.netty:netty-codec-http

product logo product logo product logo product logo
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

Github Repository NVD

Vulnerability Analysis

CVE-2022-24823 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2022-24823. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Types

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Creation of Temporary File With Insecure Permissions

Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.

Creation of Temporary File in Directory with Insecure Permissions

The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file. On some operating systems, the fact that the temporary file exists may be apparent to any user with sufficient privileges to access that directory. Since the file is visible, the application that is using the temporary file could be known. If one has access to list the processes on the system, the attacker has gained information about what the user is doing at that time. By correlating this with the applications the user is running, an attacker could potentially discover what a user's actions are. From this, higher levels of security could be breached.


Products Associated with CVE-2022-24823

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-24823 are published in these products:

Netty
 
Oracle Financial Services Crime Compliance Management Studio
 
NetApp Snapcenter
 
NetApp Oncommand Workflow Automation
 
NetApp Active Iq Unified Manager
 
Canonical Ubuntu Linux
 

Affected Versions

netty Version <= 4.1.76.Final is affected by CVE-2022-24823

Vulnerable Packages

The following package name and versions may be associated with CVE-2022-24823

Package Manager Vulnerable Package Versions Fixed In
maven io.netty:netty-codec-http <= 4.1.76.Final 4.1.77.Final

Exploit Probability

EPSS
0.40%
Percentile
60.73%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.