Disclosure By Vendor

GHSA-2cxf-6567-7pp6

Description

Utilizing a custom CodeQL query written as a part of the GitHub Security Lab Bug Bounty program, I've unearthed a local information disclosure vulnerability in this OSS repository.

This particular vulnerability impacts DataDog/datadog-api-client-java

You can see the custom CodeQL query utilized here:
https://lgtm.com/query/8938575359870595124/

This vulnerability exists in the ApiClient for version 1 and 2.
The method prepareDownloadFilecreates a temporary file with the permissions bits of -rw-r--r-- on unix-like systems. On unix-like systems, the system temporary directory is shared between users.

As such, the contents of the file downloaded by downloadFileFromResponsewill be visible to all other users on the local system.

Exploit Scenario

Datadog API is executed on a unix-like system with multiple users. The API is used to download a file containing sensitive information. This sensitive information is exposed locally to other users.

Resources

• CWE-378: Creation of Temporary File With Insecure Permissions
• CWE-379: Creation of Temporary File in Directory with Insecure Permissions

Impact

Local information disclosure of sensitive information downloaded via the API using the API Client.