2023-05-15
CVE-2023-33251
When Akka HTTP prior to 10.5.2 accepts uploading files via the FileUploadDirectives.fileUploadAll directive, the temporary file it creates has too broad permissions which makes it readable by other users on Unix like systems.
This vulnerability is similar to CVE-2022-41946 “TemporaryFolder on unix-like systems does not limit access to created files”.
Based on our assessment, the CVSS score of this vulnerability is 4.7, based on vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).
Any use of the Akka HTTP FileUploadDirectives.fileUploadAll directive will store uploaded files with too broad access permissions on Unix like systems.
Starting from Akka HTTP 10.5.2, uploaded documents are created with strict permissions (OWNER_READ/WRITE).
The vulnerability can be worked around by using a specific temporary directory with suitable permissions
for each JVM on a shared server, using java.io.tmpdir to make the fileUploadALl store files in that directory.
10.5.2Thanks, Alex Zolotko (IBM Security), for bringing this issue to our attention.