Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-G3WG-6MCF-8JJ6
HistoryNov 04, 2020 - 5:50 p.m.

Local Temp Directory Hijacking Vulnerability

2020-11-0417:50:24
Google
osv.dev
90

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

68.8%

JSON

Impact

On Unix like systems, the system’s temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.

Additionally, any user code uses of WebAppContext::getTempDirectory would similarly be vulnerable.

Additionally, any user application code using the ServletContext attribute for the tempdir will also be impacted.
See: https://javaee.github.io/javaee-spec/javadocs/javax/servlet/ServletContext.html#TEMPDIR

For example:

import java.io.File;
import java.io.IOException;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class ExampleServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        File tempDir = (File)getServletContext().getAttribute(ServletContext.TEMPDIR); // Potentially compromised
        // do something with that temp dir
    }
}

Example: The JSP library itself will use the container temp directory for compiling the JSP source into Java classes before executing them.

CVSSv3.1 Evaluation

This vulnerability has been calculated to have a CVSSv3.1 score of 7.8/10 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Patches

Fixes were applied to the 9.4.x branch with:

These will be included in releases: 9.4.33, 10.0.0.beta3, 11.0.0.beta3

Workarounds

A work around is to set a temporary directory, either for the server or the context, to a directory outside of the shared temporary file system.
For recent releases, a temporary directory can be created simple by creating a directory called work in the ${jetty.base} directory (the parent directory of the webapps directory).
Alternately the java temporary directory can be set with the System Property java.io.tmpdir. A more detailed description of how jetty selects a temporary directory is below.

The Jetty search order for finding a temporary directory is as follows:

  1. If the WebAppContext has a temp directory specified, use it.
  2. If the ServletContext has the javax.servlet.context.tempdir attribute set, and if directory exists, use it.
  3. If a ${jetty.base}/work directory exists, use it (since Jetty 9.1)
  4. If a ServletContext has the org.eclipse.jetty.webapp.basetempdir attribute set, and if the directory exists, use it.
  5. Use System.getProperty("java.io.tmpdir") and use it.

Jetty will end traversal at the first successful step.
To mitigate this vulnerability the directory must be set to one that is not writable by an attacker. To avoid information leakage, the directory should also not be readable by an attacker.

Setting a Jetty server temporary directory.

Choices 3 and 5 apply to the server level, and will impact all deployed webapps on the server.

For choice 3 just create that work directory underneath your ${jetty.base} and restart Jetty.

For choice 5, just specify your own java.io.tmpdir when you start the JVM for Jetty.

[jetty-distribution]$ java -Djava.io.tmpdir=/var/web/work -jar start.jar

Setting a Context specific temporary directory.

The rest of the choices require you to configure the context for that deployed webapp (seen as ${jetty.base}/webapps/<context>.xml)

Example (excluding the DTD which is version specific):

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
  <Set name="contextPath"><Property name="foo"/></Set>
  <Set name="war">/var/web/webapps/foo.war</Set>
  <Set name="tempDirectory">/var/web/work/foo</Set>
</Configure>

References

Similar Vulnerabilities

Similar, but not the same.

For more information

The original report of this vulnerability is below:

> On Thu, 15 Oct 2020 at 21:14, Jonathan Leitschuh <[email protected]> wrote:
> Hi WebTide Security Team,
>
> I’m a security researcher writing some custom CodeQL queries to find Local Temporary Directory Hijacking Vulnerabilities. One of my queries flagged an issue in Jetty.
>
> https://lgtm.com/query/5615014766184643449/
>
> I’ve recently been looking into security vulnerabilities involving the temporary directory because on unix-like systems, the system temporary directory is shared between all users.
> There exists a race condition between the deletion of the temporary file and the creation of the directory.
>
> java &gt; // ensure file will always be unique by appending random digits &gt; tmpDir = File.createTempFile(temp, ".dir", parent); // Attacker knows the full path of the file that will be generated &gt; // delete the file that was created &gt; tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty. &gt; // and make a directory of the same name &gt; // SECURITY VULNERABILITY: Race Condition! - Attacker beats Jetty and now owns this directory &gt; tmpDir.mkdirs(); &gt;
>
> https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L511-L518
>
> In several cases the parent parameter will not be the system temporary directory. However, there is one case where it will be, as the last fallback.
>
>
> https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L467-L468
>
> If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
>
> Would your team be willing to open a GitHub security advisory to continue the discussion and disclosure there? https://github.com/eclipse/jetty.project/security/advisories
>
> This vulnerability disclosure follows Google’s 90-day vulnerability disclosure policy (I’m not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.
>
> Cheers,
> Jonathan Leitschuh

References

Related

github 7
osv 12
prion 4
ubuntucve 4
redhatcve 4
cve 4
debiancve 4
ibm 33
nessus 29
veracode 3
f5 1
redhat 14
openvas 17
ubuntu 2
suse 1
alpinelinux 2
freebsd 1
fedora 2
photon 6
mageia 2
gentoo 1
archlinux 2
rosalinux 1
debian 2
jetbrains 1
oracle 8
github
github
Local Temp Directory Hijacking Vulnerability
2020-11-04 17:50:24
TemporaryFolder on unix-like systems does not limit access to created files
2020-10-12 17:33:00
Local information disclosure via system temporary directory
2021-04-23 16:55:01
osv
osv
Local information disclosure via system temporary directory
2021-04-23 16:55:01
TemporaryFolder on unix-like systems does not limit access to created files
2022-11-23 22:17:25
TemporaryFolder on unix-like systems does not limit access to created files
2020-10-12 17:33:00
prion
prion
Privilege escalation
2020-08-08 21:15:00
Privilege escalation
2020-10-23 13:15:00
Design/Logic Flaw
2020-05-14 16:15:00
ubuntucve
ubuntucve
CVE-2020-15824
2020-08-08 00:00:00
CVE-2020-27216
2020-10-23 00:00:00
CVE-2020-1945
2020-05-14 00:00:00
redhatcve
redhatcve
CVE-2020-15824
2021-02-18 17:03:49
CVE-2020-27216
2020-10-23 21:03:44
CVE-2020-1945
2020-05-19 13:30:55
cve
cve
CVE-2020-15824
2020-08-08 21:15:00
CVE-2020-27216
2020-10-23 13:15:00
CVE-2020-1945
2020-05-14 16:15:00
debiancve
debiancve
CVE-2020-15824
2020-08-08 21:15:00
CVE-2020-27216
2020-10-23 13:15:00
CVE-2020-1945
2020-05-14 16:15:00
ibm
ibm
Security Bulletin: IBM Network Performance Insight 1.3.1 affected by Eclipse Jetty vulnerability (CVE-2020-27216)
2021-02-01 11:01:33
Security Bulletin: Eclipse Jetty Vulnerability Affects IBM Control Center (CVE-2020-27216)
2021-05-14 21:20:10
Security Bulletin: A vulnerability in Eclipse Jetty affects IBM Rational Service Tester (CVE-2020-27216)
2021-01-25 13:53:14
nessus
nessus
F5 Networks BIG-IP : Eclipse Jetty vulnerability (K18484125)
2022-05-18 00:00:00
RHEL 7 : rh-eclipse (RHSA-2020:5168)
2020-11-24 00:00:00
Ubuntu 19.10 : Apache Ant vulnerability (USN-4380-1)
2020-06-02 00:00:00
veracode
veracode
Privilege Escalation
2020-10-26 02:41:02
Insecure Temporary Directory
2020-05-15 05:16:57
Authorization Bypass
2020-10-04 04:38:58
f5
f5
K18484125 : Eclipse Jetty vulnerability CVE-2020-27216
2022-05-18 00:00:00
redhat
redhat
(RHSA-2020:5168) Moderate: rh-eclipse security, bug fix and enhancement update
2020-11-23 08:51:52
(RHSA-2021:0329) Moderate: Red Hat AMQ Broker 7.4.6 release and security update
2021-02-02 07:32:06
(RHSA-2021:2499) Moderate: OpenShift Container Platform 4.6.36 security update
2021-06-29 05:50:19
openvas
openvas
Eclipse Jetty Privilege Escalation Vulnerability - Linux
2020-10-27 00:00:00
Huawei EulerOS: Security Advisory for ant (EulerOS-SA-2020-1794)
2020-07-31 00:00:00
Fedora: Security Advisory for ant (FEDORA-2020-52741b0a49)
2020-06-07 00:00:00
ubuntu
ubuntu
Apache Ant vulnerability
2020-06-01 00:00:00
Apache Ant vulnerability
2021-03-15 00:00:00
suse
suse
Security update for ant (moderate)
2020-07-20 00:00:00
alpinelinux
alpinelinux
CVE-2020-1945
2020-05-14 16:15:00
CVE-2020-11979
2020-10-01 20:15:00
freebsd
freebsd
Apache Ant leaks sensitive information via the java.io.tmpdir
2020-05-14 00:00:00
fedora
fedora
[SECURITY] Fedora 32 Update: ant-1.10.8-1.fc32
2020-06-02 03:54:05
[SECURITY] Fedora 31 Update: ant-1.10.8-1.fc31
2020-06-02 03:14:07
photon
photon
Moderate Photon OS Security Update - PHSA-2020-0099
2020-06-01 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2020-2.0-0247
2020-05-30 00:00:00
Moderate Photon OS Security Update - PHSA-2020-0247
2020-05-30 00:00:00
mageia
mageia
Updated ant packages fix security vulnerability
2020-05-27 21:17:37
Updated ant packages fix security vulnerability
2021-04-03 16:16:06
gentoo
gentoo
Apache Ant: Multiple vulnerabilities
2020-07-27 00:00:00
archlinux
archlinux
[ASA-202005-15] ant: arbitrary command execution
2020-05-20 00:00:00
[ASA-202012-5] ant: arbitrary code execution
2020-12-05 00:00:00
rosalinux
rosalinux
Advisory ROSA-SA-2021-1805
2021-07-02 16:31:56
debian
debian
[SECURITY] [DLA 2661-1] jetty9 security update
2021-05-14 13:28:53
[SECURITY] [DSA 4949-1] jetty9 security update
2021-08-04 21:52:09
jetbrains
jetbrains
JetBrains Security Bulletin Q2 2020
2020-08-06 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2021
2021-10-19 00:00:00
Oracle Critical Patch Update Advisory - January 2021
2021-01-19 00:00:00
Oracle Critical Patch Update Advisory - July 2021
2021-07-20 00:00:00

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

68.8%

JSON
Related for OSV:GHSA-G3WG-6MCF-8JJ6
github7osv12prion4ubuntucve4redhatcve4cve4debiancve4ibm33nessus29veracode3f51redhat14openvas17ubuntu2suse1alpinelinux2freebsd1fedora2photon6mageia2gentoo1archlinux2rosalinux1debian2jetbrains1oracle8