3.6 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:P/A:N
4.4 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
0.0004 Low
EPSS
Percentile
12.6%
> ID: NFLX-2021-001
> Title: Local information disclosure in Hollow
> Release Date: 2021-03-23
> Credit: Security Researcher @JLLeitschuh
Security researcher @JLLeitschuh reported that Netflix Hollow (a Netflix OSS project available here: https://github.com/Netflix/hollow) writes to a local temporary directory before validating the permissions on it.
An attacker with the ability to create directories and set permissions on the local filesystem could pre-create this directory and read or modify anything written there by the Hollow process.
Since the Files.exists(parent)
is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.
Avoid running Hollow in configurations that share a filesystem with less-trusted processes. May be fixed in a future release.
CPE | Name | Operator | Version |
---|---|---|---|
com.netflix.hollow:hollow | le | 6.1.0 |
3.6 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:P/A:N
4.4 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
0.0004 Low
EPSS
Percentile
12.6%