4 matches found
CVE-2021-28099
In Netflix OSS Hollow, since the Files.existsparent is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated...
com.github.igorperikov:hollow-maven-plugin (>=0.1.1 <=1.0.1), com.netflix.hollow:hollow-diff-ui (>=2.0.0 <=6.1.0) +8 more potentially affected by CVE-2021-28099 via com.netflix.hollow:hollow (>=2.0.0 <=6.1.0)
com.netflix.hollow:hollow MAVEN version =2.0.0, =0.1.1, =2.0.0, =2.5.0, =2.0.0, =4.3.0, =2.16.0, =2.5.0, =2.0.0, =0.1.0, =0.1.0, =2.0.0 Source cves: CVE-2021-28099 Source advisory: OSV:GHSA-9295-MHF3-V33M...
CVE-2021-28099
In Netflix OSS Hollow, since the Files.existsparent is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated...
CVE-2021-28099
The provided connected documents confirm CVE-2021-28099 affects Netflix OSS Hollow. The vulnerability arises because Hollow calls Files.exists(parent) before creating directories, enabling an attacker who can create directories to pre-create the target directory with wide permissions. Additionall...