CVE-2021-21331

Name of the Vulnerable Software and Affected Versions Datadog API Client versions prior to 1.0.0-beta.9

Description The issue is related to the creation of temporary files with insecure permissions by the prepareDownloadFilecreates method, allowing local information disclosure of sensitive information downloaded via the API. This occurs on unix-like systems with multiple users, where the system temporary directory is shared. The exploitation likelihood is considered low due to the affected code being unused. The vulnerability exists in API Client versions 1 and 2.

Recommendations For versions prior to 1.0.0-beta.9, update to version 1.0.0-beta.9 to resolve the issue. As a temporary workaround, specify java.io.tmpdir when starting the JVM with the flag -Djava.io.tmpdir, specifying a path to a directory with drw------- permissions owned by dd-agent.