Akka HTTP uploaded file permissions

Date

2023-05-15

CVE

CVE-2023-33251

Description of Vulnerability

When Akka HTTP prior to 10.5.2 accepts uploading files via the FileUploadDirectives.fileUploadAll directive, the temporary file it creates has too broad permissions which makes it readable by other users on Unix like systems.

This vulnerability is similar to CVE-2022-41946 "TemporaryFolder on unix-like systems does not limit access to created files."

Severity

Based on our assessment, the CVSS score of this vulnerability is 4.7, based on vector (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).

Impact

Any use of the Akka HTTP FileUploadDirectives.fileUploadAll directive will store uploaded files with too broad access permissions on Unix like systems.

Resolution

Starting from Akka HTTP 10.5.2, uploaded documents are created with strict permissions (OWNER_READ/WRITE).

Workaround

The vulnerability can be worked around by using a specific temporary directory with suitable permissions for each JVM on a shared server, using java.io.tmpdir to make the fileUploadALl store files in that directory.

Affected versions

  • All Akka HTTP versions prior to 10.5.2

Fixed versions

  • Akka HTTP 10.5.2

Acknowledgements

Thanks, Alex Zolotko (IBM Security), for bringing this issue to our attention.

References