{"api_version":"1","generated_at":"2026-04-22T19:19:50+00:00","cve":"CVE-2022-24823","urls":{"html":"https://cve.report/CVE-2022-24823","api":"https://cve.report/api/cve/CVE-2022-24823.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-24823","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-24823"},"summary":{"title":"CVE-2022-24823","description":"Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-05-06 12:15:00","updated_at":"2022-12-03 14:25:00"},"problem_types":["CWE-668","CWE-378","CWE-379"],"metrics":[],"references":[{"url":"https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1","name":"https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1","refsource":"MISC","tags":[],"title":"Merge pull request from GHSA-269q-hmxg-m83q · netty/netty@185f8b2 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20220616-0004/","name":"https://security.netapp.com/advisory/ntap-20220616-0004/","refsource":"CONFIRM","tags":[],"title":"CVE-2022-24823 Apache Netty Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q","name":"https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q","refsource":"CONFIRM","tags":[],"title":"Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files for Java 6 and lower in io.netty:netty-codec-http · Advisory · netty/netty · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2","name":"https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2","refsource":"MISC","tags":[],"title":"Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files · Advisory · netty/netty · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-24823","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24823","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"24823","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"active_iq_unified_manager","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"linux","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24823","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"active_iq_unified_manager","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"windows","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24823","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"oncommand_workflow_automation","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24823","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"snapcenter","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24823","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netty","cpe5":"netty","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24823","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"financial_services_crime_and_compliance_management_studio","cpe6":"8.0.8.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24823","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"financial_services_crime_and_compliance_management_studio","cpe6":"8.0.8.3.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-24823","qid":"240589","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.6 (RHSA-2022:5893)"},{"cve":"CVE-2022-24823","qid":"240590","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.6 (RHSA-2022:5892)"},{"cve":"CVE-2022-24823","qid":"240591","title":"Red Hat Update for red hat jboss enterprise application platform 7.4.6 (RHSA-2022:5894)"},{"cve":"CVE-2022-24823","qid":"377645","title":"Oracle PeopleSoft Enterprise PeopleTools Product Multiple Vulnerabilities (CPUOCT2022)"},{"cve":"CVE-2022-24823","qid":"377649","title":"Oracle Coherence October 2022 Critical Patch Update (CPUOCT2022)"},{"cve":"CVE-2022-24823","qid":"691024","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for cassandra3 (53caf29b-9180-11ed-acbe-b42e991fc52e)"},{"cve":"CVE-2022-24823","qid":"753971","title":"SUSE Enterprise Linux Security Update for netty, netty-tcnative (SUSE-SU-2023:2096-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2022-24823","STATE":"PUBLIC","TITLE":"Local Information Disclosure Vulnerability in io.netty:netty-codec-http"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"netty","version":{"version_data":[{"version_value":"<= 4.1.76.Final"}]}}]},"vendor_name":"netty"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-668: Exposure of Resource to Wrong Sphere"}]},{"description":[{"lang":"eng","value":"CWE-378: Creation of Temporary File With Insecure Permissions"}]},{"description":[{"lang":"eng","value":"CWE-379: Creation of Temporary File in Directory with Insecure Permissions"}]}]},"references":{"reference_data":[{"name":"https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q","refsource":"CONFIRM","url":"https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q"},{"name":"https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2","refsource":"MISC","url":"https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2"},{"name":"https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1","refsource":"MISC","url":"https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20220616-0004/","url":"https://security.netapp.com/advisory/ntap-20220616-0004/"}]},"source":{"advisory":"GHSA-269q-hmxg-m83q","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-05-06 12:15:00","lastModifiedDate":"2022-12-03 14:25:00","problem_types":["CWE-668","CWE-378","CWE-379"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:M/Au:N/C:P/I:N/A:N","accessVector":"LOCAL","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":1.9},"severity":"LOW","exploitabilityScore":3.4,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*","versionEndExcluding":"4.1.77","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"24823","Ordinal":"228281","Title":"CVE-2022-24823","CVE":"CVE-2022-24823","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"24823","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}