CVE-2021-28168 : Security Advisory and Response

Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability due to insecure file permissions. This could lead to sensitive information disclosure to other local users.

Understanding CVE-2021-28168

This vulnerability impacts Eclipse Jersey versions 2.28 to 2.33 and 3.0.0 to 3.0.1, exposing a security risk for users.

What is CVE-2021-28168?

CVE-2021-28168 is a vulnerability present in Eclipse Jersey that allows local users to view sensitive information due to insecure file permissions.

The Impact of CVE-2021-28168

The vulnerability can lead to the disclosure of security-sensitive content to other users locally on the system, potentially compromising confidentiality.

Technical Details of CVE-2021-28168

The vulnerability is rated with a CVSS base score of 6.2, indicating a medium severity issue with high confidentiality impact.

Vulnerability Description

The issue is caused by the use of File.createTempFile that creates files with insecure permissions in the system temporary directory.

Affected Systems and Versions

Eclipse Jersey versions 2.28 to 2.33 and 3.0.0 to 3.0.1 are affected by this vulnerability.

Exploitation Mechanism

The vulnerability allows local users to access contents of sensitive files created with insecure permissions, leading to potential information disclosure.

Mitigation and Prevention

Users are advised to take immediate steps to mitigate the risks posed by CVE-2021-28168.

Immediate Steps to Take

It is recommended to update Eclipse Jersey to versions 2.34 or 3.02 to address this vulnerability.

Long-Term Security Practices

Implement strict file permissions and access controls to prevent unauthorized access to sensitive information.

Patching and Updates

Regularly update software and apply patches to address security vulnerabilities and protect against potential exploits.