CVE-2022-24823

Published: May 6, 2022Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

Affected (7)

Products: Netty: Netty · Oracle: Financial Services Crime And Compliance Management Studio · Netapp: Active Iq Unified Manager, Oncommand Workflow Automation, Snapcenter

Netty

1 product

Netty

Oracle

1 product

Financial Services Crime And Compliance Management Studio

Netapp

3 products

Active Iq Unified Manager

Oncommand Workflow Automation

Snapcenter

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Netty Netty	Before 4.1.77

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Oracle Financial Services Crime And Compliance Management Studio	Version 8.0.8.2.0
Oracle Financial Services Crime And Compliance Management Studio	Version 8.0.8.3.0

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Netapp Active Iq Unified Manager	All versions
Netapp Active Iq Unified Manager	All versions
Netapp Oncommand Workflow Automation	All versions
Netapp Snapcenter	All versions