Summary
Local information disclosure via system temporary directory
Workaround
This issue can be mitigated by manually setting the java.io.tmpdir system property when launching the JVM.
References
- https://github.com/eclipse-ee4j/jersey/pull/4712
- CWE-378: Creation of Temporary File With Insecure Permissions
- CWE-379: Creation of Temporary File in Directory with Insecure Permissions
Similar Vulnerabilities
Similar, but not the same:
- JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp
- Google Guava - https://github.com/google/guava/issues/4011
- Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945
- JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824
- Eclipse Jetty - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6
Original Disclosure:
Hello Jersey Security Team,
Utilizing a custom CodeQL query written as a part of the GitHub Security Lab Bug Bounty program, I've unearthed a local temporary file information disclosure vulnerability.
You can see the custom CodeQL query utilized here:
https://lgtm.com/query/8831016213790320486/
This particular vulnerability exists because on unix-like systems (not including modern versions of MacOS) the system temporary directory is shared between all users. As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.
This vulnerability impacts the following locations in this project's source:
- https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/FileProvider.java#L64-L73
- https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/media/multipart/src/main/java/org/glassfish/jersey/media/multipart/internal/FormDataParamValueParamProvider.java#L202-L208
This vulnerability exists because of the vulnerability in the Utils.createTempFile:
This is because File.createTempFile creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system.
If there is sensitive information written to these files, it is disclosed to other local users on this system.
The fix for this vulnerability is to use the Files API (instead of the File API) to create temporary files/directories as this new API correctly sets the posix file permissions.
Impact
Eclipse Jersey 2.28 - 2.33 and Eclipse Jersey 3.0.0 - 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.
A file, directory, or other resource is assigned permissions that allow broader access than intended. Typical impact: unauthorized read, modification, or execution of the resource.
CVE-2021-28168 has a CVSS score of 6.2 (Medium). The vector is requires local access, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.34, 3.0.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Jersey 2.34 and 3.0.2 forward sets the correct permissions on the temporary file created by Jersey.
Frequently Asked Questions
- What is CVE-2021-28168? CVE-2021-28168 is a medium-severity incorrect permission assignment for critical resource vulnerability in org.glassfish.jersey.core:jersey-common (maven), affecting versions >= 2.28, <= 2.33. It is fixed in 2.34, 3.0.2. A file, directory, or other resource is assigned permissions that allow broader access than intended.
- How severe is CVE-2021-28168? CVE-2021-28168 has a CVSS score of 6.2 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of org.glassfish.jersey.core:jersey-common are affected by CVE-2021-28168? org.glassfish.jersey.core:jersey-common (maven) versions >= 2.28, <= 2.33 is affected.
- Is there a fix for CVE-2021-28168? Yes. CVE-2021-28168 is fixed in 2.34, 3.0.2. Upgrade to this version or later.
- Is CVE-2021-28168 exploitable, and should I be worried? Whether CVE-2021-28168 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2021-28168 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2021-28168?
- Upgrade
org.glassfish.jersey.core:jersey-commonto 2.34 or later - Upgrade
org.glassfish.jersey.core:jersey-commonto 3.0.2 or later
- Upgrade