Bug 13252

Summary: [CVE 21] jersey 2.28 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED WONTFIX QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: m.novosyolov, s.matveev, y.tumanov
Version: AllFlags: y.tumanov: secteam_verified?
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2021-28168,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-05-02 16:37:11 MSK 
Please patch CVEs for package jersey version 2.28  
INFO (CVEs are): jersey 2.28 cves found
CVE-2021-28168
Desc: Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-28168
Severity: MEDIUM
Comment 1 Mikhail Novosyolov 2023-05-15 14:14:15 MSK 
В этом пакете пока не будем исправлять CVE в связи с отсутствием его широкого применения и сложностью их закрытия.