Patches
No patches are available. The maintainers have been unresponsive. It may be appropriate to consider this project unmaintained at this point.
Impact
The org.nanohttpd.protocols.http.tempfiles.DefaultTempFileManager & org.nanohttpd.protocols.http.tempfiles.DefaultTempFile contain a local temporary file information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. As such, files written to that directory without setting the correct file permissions can allow other users on that system to view the contents of the files written to those temporary files.
Vulnerability Locations
Whenever an HTTP Session is parsing the body of an HTTP request, the body of the request is written to a RandomAccessFile when the body is larger than 1024 bytes. Unfortunately, RandomAccessFile is created using a temporary file which is created with file permissions that allow it's contents to be viewed by all users on the host machine.
https://github.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a01e81/core/src/main/java/org/nanohttpd/protocols/http/HTTPSession.java#L611-L617
Workarounds
Manually specifying the -Djava.io.tmpdir= argument when launching Java to set set the temporary directory to a directory exclusively controlled by the current user can fix this issue.
References
JLLeitschuh Analyst
Patches
No patches are available. The maintainers have been unresponsive. It may be appropriate to consider this project unmaintained at this point.
Impact
The
org.nanohttpd.protocols.http.tempfiles.DefaultTempFileManager&org.nanohttpd.protocols.http.tempfiles.DefaultTempFilecontain a local temporary file information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. As such, files written to that directory without setting the correct file permissions can allow other users on that system to view the contents of the files written to those temporary files.Vulnerability Locations
Whenever an HTTP Session is parsing the body of an HTTP request, the body of the request is written to a RandomAccessFile when the body is larger than 1024 bytes. Unfortunately, RandomAccessFile is created using a temporary file which is created with file permissions that allow it's contents to be viewed by all users on the host machine.
https://github.com/NanoHttpd/nanohttpd/blob/efb2ebf85a2b06f7c508aba9eaad5377e3a01e81/core/src/main/java/org/nanohttpd/protocols/http/HTTPSession.java#L611-L617
Workarounds
Manually specifying the
-Djava.io.tmpdir=argument when launching Java to set set the temporary directory to a directory exclusively controlled by the current user can fix this issue.References