CVE-2021-28099

In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.

In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.

> ID: NFLX-2021-001 > Title: Local information disclosure in Hollow > Release Date: 2021-03-23 > Credit: Security Researcher @JLLeitschuh # Overview Security researcher @JLLeitschuh reported that Netflix Hollow (a Netflix OSS project available here: https://github.com/Netflix/hollow) writes to a local temporary directory before validating the permissions on it. # Impact An attacker with the ability to create directories and set permissions on the local filesystem could pre-create this directory and read or modify anything written there by the Hollow process. # Description Since the `Files.exists(parent)` is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated. # Workarounds and Fixes Avoid running Hollow in configurations that share a filesystem with less-trusted processes. May be fixed in a future release.

> ID: NFLX-2021-001 > Title: Local information disclosure in Hollow > Release Date: 2021-03-23 > Credit: Security Researcher @JLLeitschuh # Overview Security researcher @JLLeitschuh reported that Netflix Hollow (a Netflix OSS project available here: https://github.com/Netflix/hollow) writes to a local temporary directory before validating the permissions on it. # Impact An attacker with the ability to create directories and set permissions on the local filesystem could pre-create this directory and read or modify anything written there by the Hollow process. # Description Since the `Files.exists(parent)` is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated. # Workarounds and Fixes Avoid running Hollow in configurations that share a filesystem with less-trusted processes. May be fixed in a future release.

En Netflix OSS Hollow, dado que Files.exists(parent) se ejecuta antes de crear los directorios, un atacante puede crear previamente estos directorios con amplios permisos. Además, dado que se utiliza una fuente no segura de aleatoriedad, los nombres de archivo que se crearán se pueden calcular de forma determinista