CVE-2021-28099

Name of the Vulnerable Software and Affected Versions: Netflix OSS Hollow (affected versions not specified)

Description: The issue allows an attacker to pre-create directories with wide permissions since the Files.exists(parent) check is performed before creating the directories. Furthermore, the use of an insecure source of randomness enables the deterministic calculation of file names to be created. This could allow an attacker to read or modify data written by the Hollow process if they can create directories and set permissions on the local filesystem.

Recommendations: Avoid running Hollow in configurations that share a filesystem with less-trusted processes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.