CVE-2022-21230
low-risk
Published 2022-05-01
This affects all versions of package org.nanohttpd:nanohttpd. Whenever an HTTP Session is parsing the body of an HTTP request, the body of the request is written to a RandomAccessFile when the it is larger than 1024 bytes. This file is created with insecure permissions that allow its contents to be viewed by all users on the host machine. **Workaround:** Manually specifying the -Djava.io.tmpdir= argument when launching Java to set the temporary directory to a directory exclusively controlled by the current user can fix this issue.
Do I need to act?
-
0.05% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10
Medium
LOCAL
/ LOW complexity
Affected Products (1)
Nanohttpd
Affected Vendors
References (8)
Third Party Advisory
https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-2r85-x...
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGNANOHTTPD-2422798
Third Party Advisory
https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-2r85-x...
Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-ORGNANOHTTPD-2422798
23
/ 100
low-risk
Severity
18/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal