CVE-2021-21331
DataDog API Client contains a Local Information Disclosure Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Java client for the Datadog API before version 1.0.0-beta.9 has a local information disclosure of sensitive information downloaded via the API using the API Client. The Datadog API is executed on a unix-like system with multiple users. The API is used to download a file containing sensitive information. This sensitive information is exposed locally to other users. This vulnerability exists in the API Client for version 1 and 2. The method `prepareDownloadFilecreates` creates a temporary file with the permissions bits of `-rw-r--r--` on unix-like systems. On unix-like systems, the system temporary directory is shared between users. As such, the contents of the file downloaded via the `downloadFileFromResponse` method will be visible to all other users on the local system. Analysis of the finding determined that the affected code was unused, meaning that the exploitation likelihood is low. The unused code has been removed, effectively mitigating this issue. This issue has been patched in version 1.0.0-beta.9. As a workaround one may specify `java.io.tmpdir` when starting the JVM with the flag `-Djava.io.tmpdir`, specifying a path to a directory with `drw-------` permissions owned by `dd-agent`.
El cliente Java para la API Datadog anterior a la versión 1.0.0-beta.9, presenta una divulgación de información local de información confidencial descargada por medio de la API mediante la API Client. La API Datadog se ejecuta en un sistema similar a Unix con múltiples usuarios. La API se usa para descargar un archivo que contiene información confidencial. Esta información confidencial está expuesta localmente a otros usuarios. Esta vulnerabilidad existe en la API Client para versión 1 y 2. El método "prepareDownloadFilecreates" crea un archivo temporal con los bits de permisos de "-rw-r--r--" en sistemas similares a Unix. En sistemas similares a Unix, el directorio temporal del sistema se comparte entre los usuarios. Como tal, el contenido del archivo descargado a través del método "downloadFileFromResponse" será visible para todos los demás usuarios en el sistema local. El análisis del hallazgo determinó que el código afectado no se usó, lo que significa que la probabilidad de explotación es baja. El código no usado se ha eliminado, lo que mitiga de forma eficaz este problema. Este problema se ha corregido en la versión 1.0.0-beta.9. Como solución alternativa, se puede especificar "java.io.tmpdir" al iniciar la JVM con el indicador "-Djava.io.tmpdir", especificando una ruta a un directorio con permisos "drw-------" propiedad de "dd-agent"
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-12-22 CVE Reserved
- 2021-03-03 CVE Published
- 2023-11-17 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-378: Creation of Temporary File With Insecure Permissions
- CWE-379: Creation of Temporary File in Directory with Insecure Permissions
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/DataDog/datadog-api-client-java/releases/tag/datadog-api-client-1.0.0-beta.9 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/DataDog/datadog-api-client-java/security/advisories/GHSA-2cxf-6567-7pp6 | 2021-03-10 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Datadoghq Search vendor "Datadoghq" | Datadog-api-client-java Search vendor "Datadoghq" for product "Datadog-api-client-java" | 1.0.0 Search vendor "Datadoghq" for product "Datadog-api-client-java" and version "1.0.0" | beta1 |
Affected
| ||||||
| Datadoghq Search vendor "Datadoghq" | Datadog-api-client-java Search vendor "Datadoghq" for product "Datadog-api-client-java" | 1.0.0 Search vendor "Datadoghq" for product "Datadog-api-client-java" and version "1.0.0" | beta2 |
Affected
| ||||||
| Datadoghq Search vendor "Datadoghq" | Datadog-api-client-java Search vendor "Datadoghq" for product "Datadog-api-client-java" | 1.0.0 Search vendor "Datadoghq" for product "Datadog-api-client-java" and version "1.0.0" | beta3 |
Affected
| ||||||
| Datadoghq Search vendor "Datadoghq" | Datadog-api-client-java Search vendor "Datadoghq" for product "Datadog-api-client-java" | 1.0.0 Search vendor "Datadoghq" for product "Datadog-api-client-java" and version "1.0.0" | beta4 |
Affected
| ||||||
| Datadoghq Search vendor "Datadoghq" | Datadog-api-client-java Search vendor "Datadoghq" for product "Datadog-api-client-java" | 1.0.0 Search vendor "Datadoghq" for product "Datadog-api-client-java" and version "1.0.0" | beta5 |
Affected
| ||||||
| Datadoghq Search vendor "Datadoghq" | Datadog-api-client-java Search vendor "Datadoghq" for product "Datadog-api-client-java" | 1.0.0 Search vendor "Datadoghq" for product "Datadog-api-client-java" and version "1.0.0" | beta6 |
Affected
| ||||||
| Datadoghq Search vendor "Datadoghq" | Datadog-api-client-java Search vendor "Datadoghq" for product "Datadog-api-client-java" | 1.0.0 Search vendor "Datadoghq" for product "Datadog-api-client-java" and version "1.0.0" | beta7 |
Affected
| ||||||
| Datadoghq Search vendor "Datadoghq" | Datadog-api-client-java Search vendor "Datadoghq" for product "Datadog-api-client-java" | 1.0.0 Search vendor "Datadoghq" for product "Datadog-api-client-java" and version "1.0.0" | beta8 |
Affected
| ||||||