CVE-2021-28099

{"id": "CVE-2021-28099", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.8}]}, "published": "2021-03-23T21:15:13.557", "references": [{"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md", "tags": ["Third Party Advisory"], "source": "security-report@netflix.com"}, {"url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-330"}]}], "descriptions": [{"lang": "en", "value": "In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated."}, {"lang": "es", "value": "En Netflix OSS Hollow, dado que Files.exists(parent) se ejecuta antes de crear los directorios, un atacante puede crear previamente estos directorios con amplios permisos. Adem\u00e1s, dado que se utiliza una fuente no segura de aleatoriedad, los nombres de archivo que se crear\u00e1n se pueden calcular de forma determinista"}], "lastModified": "2024-11-21T05:59:05.440", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netflix:hollow:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1E659DA4-A87C-478F-8A1E-F592AA631374"}], "operator": "OR"}]}], "sourceIdentifier": "security-report@netflix.com"}