Vulnerability Description
This affects all versions of package org.nanohttpd:nanohttpd. Whenever an HTTP Session is parsing the body of an HTTP request, the body of the request is written to a RandomAccessFile when the it is larger than 1024 bytes. This file is created with insecure permissions that allow its contents to be viewed by all users on the host machine. **Workaround:** Manually specifying the -Djava.io.tmpdir= argument when launching Java to set the temporary directory to a directory exclusively controlled by the current user can fix this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nanohttpd | Nanohttpd | <= 2.3.1 |
References
- https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-2r85-xThird Party Advisory
- https://github.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a0Broken Link
- https://github.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a0Broken Link
- https://snyk.io/vuln/SNYK-JAVA-ORGNANOHTTPD-2422798Third Party Advisory
- https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-2r85-xThird Party Advisory
- https://github.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a0Broken Link
- https://github.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a0Broken Link
- https://snyk.io/vuln/SNYK-JAVA-ORGNANOHTTPD-2422798Third Party Advisory
FAQ
What is CVE-2022-21230?
CVE-2022-21230 is a vulnerability with a CVSS score of 5.5 (MEDIUM). This affects all versions of package org.nanohttpd:nanohttpd. Whenever an HTTP Session is parsing the body of an HTTP request, the body of the request is written to a RandomAccessFile when the it is l...
How severe is CVE-2022-21230?
CVE-2022-21230 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-21230?
Check the references section above for vendor advisories and patch information. Affected products include: Nanohttpd Nanohttpd.