| Vulnerability Name: | CVE-2021-28168 (CCN-200601) | ||||||||||||
| Assigned: | 2021-04-22 | ||||||||||||
| Published: | 2021-04-22 | ||||||||||||
| Updated: | 2022-07-29 | ||||||||||||
| Summary: | Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users. | ||||||||||||
| CVSS v3 Severity: | 5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) 5.0 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C)
5.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-668 | ||||||||||||
| Vulnerability Consequences: | Obtain Information | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-28168 Source: XF Type: UNKNOWN eclipse-jersey-cve202128168-info-disc(200601) Source: CONFIRM Type: Patch, Third Party Advisory https://github.com/eclipse-ee4j/jersey/pull/4712 Source: CCN Type: Jersey GIT Repository Local information disclosure via system temporary directory Source: CONFIRM Type: Third Party Advisory https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv Source: MLIST Type: Mailing List, Vendor Advisory [kafka-users] 20210617 vulnerabilities Source: MLIST Type: Exploit, Mailing List, Vendor Advisory [kafka-commits] 20210506 [kafka] branch 2.8 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636) Source: MLIST Type: Issue Tracking, Mailing List, Vendor Advisory [kafka-dev] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02 Source: MLIST Type: Issue Tracking, Mailing List, Vendor Advisory [kafka-jira] 20210506 [jira] [Assigned] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02 Source: MLIST Type: Issue Tracking, Mailing List, Vendor Advisory [kafka-jira] 20210506 [jira] [Commented] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02 Source: MLIST Type: Issue Tracking, Mailing List, Vendor Advisory [kafka-jira] 20210506 [GitHub] [kafka] omkreddy commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02 Source: MLIST Type: Exploit, Mailing List, Vendor Advisory [kafka-commits] 20210506 [kafka] branch 2.7 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636) Source: MLIST Type: Mailing List, Vendor Advisory [kafka-jira] 20210506 [GitHub] [kafka] omkreddy merged pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168 Source: MLIST Type: Mailing List, Vendor Advisory [kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr closed pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02 Source: MLIST Type: Issue Tracking, Mailing List, Vendor Advisory [kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02 Source: MLIST Type: Issue Tracking, Mailing List, Vendor Advisory [kafka-dev] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02 Source: MLIST Type: Issue Tracking, Mailing List, Vendor Advisory [kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02 Source: MLIST Type: Issue Tracking, Mailing List, Vendor Advisory [kafka-jira] 20210505 [GitHub] [kafka] shayelkin opened a new pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168 Source: MLIST Type: Issue Tracking, Mailing List, Vendor Advisory [kafka-jira] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02 Source: MLIST Type: Issue Tracking, Mailing List, Vendor Advisory [kafka-jira] 20210429 [GitHub] [kafka] xjin-Confluent opened a new pull request #10614: MINOR: Upgrade jersey to 2.34 Source: MLIST Type: Issue Tracking, Mailing List, Vendor Advisory [kafka-jira] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02 Source: CCN Type: IBM Security Bulletin 6848225 (Netcool Operations Insight) Netcool Operations Insight v1.6.7 contains fixes for multiple security vulnerabilities. Source: CCN Type: IBM Security Bulletin 7001565 (Sterling Partner Engagement Manager) IBM Sterling Partner Engagement Manager is vulnerable to information disclosure vulnerability due to org.glassfish.jersey.core_jersey-common (CVE-2021-28168) Source: CCN Type: Oracle CPUApr2022 Oracle Critical Patch Update Advisory - April 2022 Source: MISC Type: Third Party Advisory https://www.oracle.com/security-alerts/cpuapr2022.html | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||