CVE-2021-21290

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.77.Final

Description The issue is related to the creation of temporary files with insecure permissions in Netty, an open-source network application framework. When Netty's multipart decoders are used, local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This affects applications running on Unix-like systems, where the temporary directory is shared between all users. The method File.createTempFile creates a random file with default permissions "-rw-r--r--", allowing other local users to read sensitive information written to this file.

Recommendations For versions prior to 4.1.77.Final, update to 4.1.77.Final to resolve the issue. As a temporary workaround, specify your own java.io.tmpdir when you start the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user. Consider updating to Java 7 or above to mitigate the risk.