When Akka HTTP prior to 10.5.2 accepts uploading files via the
FileUploadDirectives.fileUploadAll directive, the temporary file it creates has too broad permissions which makes it readable by other users on Unix like systems.
This vulnerability is similar to CVE-2022-41946 “TemporaryFolder on unix-like systems does not limit access to created files”.
Based on our assessment, the CVSS score of this vulnerability is 4.7, based on vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).
Any use of the Akka HTTP
FileUploadDirectives.fileUploadAll directive will store uploaded files with too broad access permissions on Unix like systems.
Starting from Akka HTTP 10.5.2, uploaded documents are created with strict permissions (
The vulnerability can be worked around by using a specific temporary directory with suitable permissions
for each JVM on a shared server, using
java.io.tmpdir to make the
fileUploadALl store files in that directory.
Thanks, Alex Zolotko (IBM Security), for bringing this issue to our attention.