Home > Vulnerability Database > CVE-2022-21230

Mend.io Vulnerability Database

CVE-2022-21230

Good to know:

Date: May 1, 2022

This affects all versions of package org.nanohttpd:nanohttpd. Whenever an HTTP Session is parsing the body of an HTTP request, the body of the request is written to a RandomAccessFile when the it is larger than 1024 bytes. This file is created with insecure permissions that allow its contents to be viewed by all users on the host machine. Workaround: Manually specifying the -Djava.io.tmpdir= argument when launching Java to set the temporary directory to a directory exclusively controlled by the current user can fix this issue.

Language: Java

Severity Score

5.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-21230

Url: https://github.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a01e81/core/src/main/java/org/nanohttpd/protocols/http/tempfiles/DefaultTempFileManager.java%23L60

Url: https://github.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a01e81/core/src/main/java/org/nanohttpd/protocols/http/tempfiles/DefaultTempFile.java%23L58

Url: https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-2r85-x9cf-8fcg

Url: https://www.mend.io/vulnerability-database/CVE-2022-21230

Severity Score

5.5

CVSS v3.1

Base Score:	5.5
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	2.1
Access Vector (AV):	LOCAL
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-21230

Good to know:

Date: May 1, 2022

Language: Java

Severity Score

Related Resources (5)

Severity Score

CVSS v3.1

CVSS v2

Do you need more information?