PT-2021-7977 · Oracle+4 · Java+4

R00T4Dm

Published

2021-02-08

Updated

2026-05-18

CVE-2022-24823

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions io.netty:netty-codec-http versions prior to 4.1.77.Final

Description The issue is related to insufficient fix for a vulnerability in Netty's multipart decoders, which can lead to local information disclosure via the local system temporary directory if temporary storing uploads on the disk is enabled. This affects applications running on Java version 6 and lower, as well as code running on Unix-like systems, and very old versions of Mac OSX and Windows, as they share the system temporary directory between all users.

Recommendations For versions prior to 4.1.77.Final, update to 4.1.77.Final to fix the vulnerability. As a workaround, specify your own java.io.tmpdir when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user. Alternatively, update to Java 7 or above to mitigate the issue.

Exploit

Fix

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-378CWE-379CWE-668

Related Identifiers

BDU:2023-08651

CLEANSTART-2026-DD05788

CLEANSTART-2026-GH89210

CLEANSTART-2026-KU61465

CLEANSTART-2026-LE11246

CLEANSTART-2026-RN56220

CLEANSTART-2026-VH41554

CVE-2022-24823

GHSA-269Q-HMXG-M83Q

GHSA-5MCR-GQ6C-3HQ2

OESA-2025-2149

OESA-2025-2150

OESA-2025-2151

OESA-2025-2152

OESA-2025-2153

OESA-2025-2286

OPENSUSE-SU-2024:14442-1

RHSA-2022:5892

RHSA-2022:5893

RHSA-2022:5894

SUSE-SU-2023:2096-1

SUSE-SU-2023:2096-2

SUSE-SU-2023_2096-1

SUSE-SU-2023_2096-2

USN-7284-1

Affected Products

Debian

Java

Linuxmint

Suse

Ubuntu

PT-2021-7977 · Oracle+4 · Java+4

CVE-2022-24823

Weakness Enumeration

Related Identifiers

Affected Products

References · 357