CVE-2021-28099

In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.4 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
netflixCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 8%
VendorProductVersion
netflixhollow
-
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md