Akka HTTP uploaded file permissions
47 views
Skip to first unread message
johan.andren
May 15, 2023, 5:15:11 AM5/15/23
to Akka Security
Date: 2023-05-15
CVE ID pending
Description of Vulnerability
When Akka HTTP prior to 10.5.2 accepts uploading files via the FileUploadDirectives.fileUploadAll directive, the temporary file it creates has too broad permissions which makes it readable by other users on Unix like systems.
This vulnerability is similar to CVE-2022-41946 “TemporaryFolder on unix-like systems does not limit access to created files”.
Severity
Based on our assessment, the CVSS score of this vulnerability is 4.7, based on vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).
Impact
Any use of the Akka HTTP FileUploadDirectives.fileUploadAll directive will store uploaded files with too broad access permissions on Unix like systems.
Resolution
Starting from Akka HTTP 10.5.2, uploaded documents are created with strict permissions (OWNER_READ/WRITE).
Workaround
The vulnerability can be worked around by using a specific temporary directory with suitable permissions for each JVM on a shared server, using java.io.tmpdir to make the fileUploadAll store files in that directory.
Affected versions
All Akka HTTP versions prior to 10.5.2
CVE ID pending
Description of Vulnerability
When Akka HTTP prior to 10.5.2 accepts uploading files via the FileUploadDirectives.fileUploadAll directive, the temporary file it creates has too broad permissions which makes it readable by other users on Unix like systems.
This vulnerability is similar to CVE-2022-41946 “TemporaryFolder on unix-like systems does not limit access to created files”.
Severity
Based on our assessment, the CVSS score of this vulnerability is 4.7, based on vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).
Impact
Any use of the Akka HTTP FileUploadDirectives.fileUploadAll directive will store uploaded files with too broad access permissions on Unix like systems.
Resolution
Starting from Akka HTTP 10.5.2, uploaded documents are created with strict permissions (OWNER_READ/WRITE).
Workaround
The vulnerability can be worked around by using a specific temporary directory with suitable permissions for each JVM on a shared server, using java.io.tmpdir to make the fileUploadAll store files in that directory.
Affected versions
All Akka HTTP versions prior to 10.5.2
Fixed versions
Akka HTTP 10.5.2
Akka HTTP 10.5.2
Acknowledgements
Thanks, Alex Zolotko (IBM Security), for bringing this issue to our attention.
References
#4261
Thanks, Alex Zolotko (IBM Security), for bringing this issue to our attention.
References
#4261
Reply all
Reply to author
Forward
0 new messages