{"containers": {"cna": {"affected": [{"product": "Eclipse Jersey", "vendor": "The Eclipse Foundation", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "2.28", "versionType": "custom"}, {"lessThanOrEqual": "2.33", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "3.0.0", "versionType": "custom"}, {"lessThanOrEqual": "3.0.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-378", "description": "CWE-378: Creation of Temporary File With Insecure Permissions", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-379", "description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T23:54:30", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/eclipse-ee4j/jersey/pull/4712"}, {"name": "[kafka-jira] 20210429 [GitHub] [kafka] xjin-Confluent opened a new pull request #10614: MINOR: Upgrade jersey to 2.34", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210505 [GitHub] [kafka] shayelkin opened a new pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [jira] [Assigned] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [jira] [Commented] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy merged pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-commits] 20210506 [kafka] branch 2.7 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1%40%3Ccommits.kafka.apache.org%3E"}, {"name": "[kafka-commits] 20210506 [kafka] branch 2.8 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa%40%3Ccommits.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr closed pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-users] 20210617 vulnerabilities", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@eclipse.org", "ID": "CVE-2021-28168", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Eclipse Jersey", "version": {"version_data": [{"version_affected": ">=", "version_value": "2.28"}, {"version_affected": "<=", "version_value": "2.33"}, {"version_affected": ">=", "version_value": "3.0.0"}, {"version_affected": "<=", "version_value": "3.0.1"}]}}]}, "vendor_name": "The Eclipse Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users."}]}, "impact": {"cvss": {"baseScore": 6.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-378: Creation of Temporary File With Insecure Permissions"}]}, {"description": [{"lang": "eng", "value": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions"}]}]}, "references": {"reference_data": [{"name": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv", "refsource": "CONFIRM", "url": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv"}, {"name": "https://github.com/eclipse-ee4j/jersey/pull/4712", "refsource": "CONFIRM", "url": "https://github.com/eclipse-ee4j/jersey/pull/4712"}, {"name": "[kafka-jira] 20210429 [GitHub] [kafka] xjin-Confluent opened a new pull request #10614: MINOR: Upgrade jersey to 2.34", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c@%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e@%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc@%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210505 [GitHub] [kafka] shayelkin opened a new pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0@%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [jira] [Assigned] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a@%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [jira] [Commented] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4@%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b@%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972@%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy merged pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f@%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-commits] 20210506 [kafka] branch 2.7 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1@%3Ccommits.kafka.apache.org%3E"}, {"name": "[kafka-commits] 20210506 [kafka] branch 2.8 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa@%3Ccommits.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd@%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359@%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr closed pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a@%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4@%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-users] 20210617 vulnerabilities", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:40:12.260Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/eclipse-ee4j/jersey/pull/4712"}, {"name": "[kafka-jira] 20210429 [GitHub] [kafka] xjin-Confluent opened a new pull request #10614: MINOR: Upgrade jersey to 2.34", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210505 [GitHub] [kafka] shayelkin opened a new pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [jira] [Assigned] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [jira] [Commented] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy merged pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-commits] 20210506 [kafka] branch 2.7 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1%40%3Ccommits.kafka.apache.org%3E"}, {"name": "[kafka-commits] 20210506 [kafka] branch 2.8 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa%40%3Ccommits.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-dev] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359%40%3Cdev.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr closed pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4%40%3Cjira.kafka.apache.org%3E"}, {"name": "[kafka-users] 20210617 vulnerabilities", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2021-28168", "datePublished": "2021-04-22T17:35:14", "dateReserved": "2021-03-12T00:00:00", "dateUpdated": "2024-08-03T21:40:12.260Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:jersey:*:*:*:*:*:*:*:*", "matchCriteriaId": "950CB985-011C-484C-915C-7B994FEB40E4", "versionEndExcluding": "2.34", "versionStartIncluding": "2.28", "vulnerable": true}, {"criteria": "cpe:2.3:a:eclipse:jersey:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE1BC821-0033-43A2-BFA3-6E01995F1611", "versionEndExcluding": "3.0.2", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "B4367D9B-BF81-47AD-A840-AC46317C774D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "C6EAA723-2A23-4151-930B-86ACF9CC1C0C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users."}, {"lang": "es", "value": "Eclipse Jersey versiones 2.28 hasta 2.33 y Eclipse Jersey versiones 3.0.0 hasta 3.0.1, contienen una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n local.&#xa0;Esto es debido al uso de la funci\u00f3n File.createTempFile que crea un archivo dentro del directorio temporal del sistema con los permisos:-rw-r--r--.&#xa0;Por lo tanto, el contenido de este archivo es visible para todos los dem\u00e1s usuarios localmente en el sistema.&#xa0;Como tal, si el contenido escrito es sensible a la seguridad, puede ser revelado a otros usuarios locales"}], "id": "CVE-2021-28168", "lastModified": "2024-11-21T05:59:14.487", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "emo@eclipse.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-22T18:15:08.250", "references": [{"source": "emo@eclipse.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/eclipse-ee4j/jersey/pull/4712"}, {"source": "emo@eclipse.org", "tags": ["Third Party Advisory"], "url": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv"}, {"source": "emo@eclipse.org", "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E"}, {"source": "emo@eclipse.org", "url": "https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa%40%3Ccommits.kafka.apache.org%3E"}, {"source": "emo@eclipse.org", "url": "https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359%40%3Cdev.kafka.apache.org%3E"}, {"source": "emo@eclipse.org", "url": "https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a%40%3Cjira.kafka.apache.org%3E"}, {"source": "emo@eclipse.org", "url": "https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4%40%3Cjira.kafka.apache.org%3E"}, {"source": "emo@eclipse.org", "url": "https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972%40%3Cjira.kafka.apache.org%3E"}, {"source": "emo@eclipse.org", "url": "https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1%40%3Ccommits.kafka.apache.org%3E"}, {"source": "emo@eclipse.org", "url": "https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f%40%3Cjira.kafka.apache.org%3E"}, {"source": "emo@eclipse.org", "url": "https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a%40%3Cjira.kafka.apache.org%3E"}, {"source": "emo@eclipse.org", "url": "https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4%40%3Cjira.kafka.apache.org%3E"}, {"source": "emo@eclipse.org", "url": "https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc%40%3Cdev.kafka.apache.org%3E"}, {"source": "emo@eclipse.org", "url": "https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b%40%3Cjira.kafka.apache.org%3E"}, {"source": "emo@eclipse.org", "url": "https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0%40%3Cjira.kafka.apache.org%3E"}, {"source": "emo@eclipse.org", "url": "https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e%40%3Cjira.kafka.apache.org%3E"}, {"source": "emo@eclipse.org", "url": "https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c%40%3Cjira.kafka.apache.org%3E"}, {"source": "emo@eclipse.org", "url": "https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd%40%3Cjira.kafka.apache.org%3E"}, {"source": "emo@eclipse.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/eclipse-ee4j/jersey/pull/4712"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa%40%3Ccommits.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359%40%3Cdev.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a%40%3Cjira.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4%40%3Cjira.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972%40%3Cjira.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1%40%3Ccommits.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f%40%3Cjira.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a%40%3Cjira.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4%40%3Cjira.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc%40%3Cdev.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b%40%3Cjira.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0%40%3Cjira.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e%40%3Cjira.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c%40%3Cjira.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd%40%3Cjira.kafka.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-378"}, {"lang": "en", "value": "CWE-379"}], "source": "emo@eclipse.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-668"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:3225", "cpe": "cpe:/a:redhat:amq_streams:1", "package": "jersey-common", "product_name": "Red Hat AMQ Streams 1.8.0", "release_date": "2021-08-19T00:00:00Z"}, {"advisory": "RHSA-2022:1029", "cpe": "cpe:/a:redhat:integration:1", "package": "jersey-common", "product_name": "RHINT Camel-K 1.6.4", "release_date": "2022-03-23T00:00:00Z"}, {"advisory": "RHSA-2022:1013", "cpe": "cpe:/a:redhat:camel_quarkus:2.2.1", "impact": "moderate", "package": "jersey-common", "product_name": "RHINT Camel-Q 2.2.1", "release_date": "2022-03-22T00:00:00Z"}], "bugzilla": {"description": "jersey: Local information disclosure via system temporary directory", "id": "1953024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1953024"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users."], "name": "CVE-2021-28168", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:6", "fix_state": "Not affected", "package_name": "jersey-core", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Will not fix", "package_name": "org.glassfish.jersey.core.jersey-common", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "jersey-common", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "jersey-common", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Not affected", "package_name": "jersey-common", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-hadoop", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-hive", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-presto", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2021-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-28168\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-28168"], "statement": "Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.", "threat_severity": "Moderate", "upstream_fix": "jersey 2.34, jersey 3.0.2"}