Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.
References
Link Providers
https://github.com/eclipse-ee4j/jersey/pull/4712 cve-icon cve-icon
https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv cve-icon cve-icon
https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa%40%3Ccommits.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359%40%3Cdev.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1%40%3Ccommits.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc%40%3Cdev.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd%40%3Cjira.kafka.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2021-28168 cve-icon
https://www.cve.org/CVERecord?id=CVE-2021-28168 cve-icon
https://www.oracle.com/security-alerts/cpuapr2022.html cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published: 2021-04-22T17:35:14

Updated: 2024-08-03T21:40:12.260Z

Reserved: 2021-03-12T00:00:00

Link: CVE-2021-28168

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-04-22T18:15:08.250

Modified: 2024-11-21T05:59:14.487

Link: CVE-2021-28168

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-04-22T00:00:00Z

Links: CVE-2021-28168 - Bugzilla