{ "threat_severity" : "Moderate", "public_date" : "2021-04-22T00:00:00Z", "bugzilla" : { "description" : "jersey: Local information disclosure via system temporary directory", "id" : "1953024", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1953024" }, "cvss3" : { "cvss3_base_score" : "6.2", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-200", "details" : [ "Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users." ], "statement" : "Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.", "affected_release" : [ { "product_name" : "Red Hat AMQ Streams 1.8.0", "release_date" : "2021-08-19T00:00:00Z", "advisory" : "RHSA-2021:3225", "cpe" : "cpe:/a:redhat:amq_streams:1", "package" : "jersey-common" }, { "product_name" : "RHINT Camel-K 1.6.4", "release_date" : "2022-03-23T00:00:00Z", "advisory" : "RHSA-2022:1029", "cpe" : "cpe:/a:redhat:integration:1", "package" : "jersey-common" }, { "product_name" : "RHINT Camel-Q 2.2.1", "release_date" : "2022-03-22T00:00:00Z", "advisory" : "RHSA-2022:1013", "cpe" : "cpe:/a:redhat:camel_quarkus:2.2.1" } ], "package_state" : [ { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Not affected", "package_name" : "jersey-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "jersey-common", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Affected", "package_name" : "jersey-common", "cpe" : "cpe:/a:redhat:camel_quarkus:2", "impact" : "moderate" }, { "product_name" : "Red Hat Integration Service Registry", "fix_state" : "Will not fix", "package_name" : "jersey-common", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Not affected", "package_name" : "jersey-common", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-metering-hadoop", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-metering-hive", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-metering-presto", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-28168\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-28168" ], "name" : "CVE-2021-28168", "csaw" : false }