CVE-2021-28099

EUVD-2021-0635
In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.4 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
Affected Products (NVD)
VendorProductVersion
netflixhollow
-
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md