Impact

Eclipse Jersey 2.28 - 2.33 and Eclipse Jersey 3.0.0 - 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.

Workaround

This issue can be mitigated by manually setting the java.io.tmpdir system property when launching the JVM.

Patches

Jersey 2.34 and 3.0.2 forward sets the correct permissions on the temporary file created by Jersey.

References

• #4712
• CWE-378: Creation of Temporary File With Insecure Permissions
• CWE-379: Creation of Temporary File in Directory with Insecure Permissions

Similar Vulnerabilities

Similar, but not the same:

• JUnit 4 - GHSA-269g-pwp5-87pp
• Google Guava - google/guava#4011
• Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945
• JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824
• Eclipse Jetty - GHSA-g3wg-6mcf-8jj6

Original Disclosure:

Hello Jersey Security Team,

Utilizing a custom CodeQL query written as a part of the GitHub Security Lab Bug Bounty program, I've unearthed a local temporary file information disclosure vulnerability.

You can see the custom CodeQL query utilized here:
https://lgtm.com/query/8831016213790320486/

This particular vulnerability exists because on unix-like systems (not including modern versions of MacOS) the system temporary directory is shared between all users. As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.

This vulnerability impacts the following locations in this project's source:

• jersey/core-common/src/main/java/org/glassfish/jersey/message/internal/FileProvider.java

  Lines 64 to 73 in 01c6a32

  	final File file = Utils.createTempFile();
  	final OutputStream stream = new BufferedOutputStream(new FileOutputStream(file));
  	try {
  	writeTo(entityStream, stream);
  	} finally {
  	stream.close();
  	}
  	return file;

• jersey/media/multipart/src/main/java/org/glassfish/jersey/media/multipart/internal/FormDataParamValueParamProvider.java

  Lines 202 to 208 in 01c6a32

  	// Create a temporary file.
  	final File file = Utils.createTempFile();
  	// Move the part (represented either via stream or file) to the specific temporary file.
  	entity.moveTo(file);
  	return file;

This vulnerability exists because of the vulnerability in the Utils.createTempFile:

jersey/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java

Lines 42 to 53 in 01c6a32

	/**
	* Create an empty file in the default temporary-file directory.
	*
	* @return An abstract pathname denoting a newly-created empty file.
	* @throws IOException if a file could not be created.
	*/
	public static File createTempFile() throws IOException {
	final File file = File.createTempFile("rep", "tmp");
	// Make sure the file is deleted when JVM is shutdown at last.
	file.deleteOnExit();
	return file;
	}

This is because File.createTempFile creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system.

If there is sensitive information written to these files, it is disclosed to other local users on this system.

The fix for this vulnerability is to use the Files API (instead of the File API) to create temporary files/directories as this new API correctly sets the posix file permissions.