CVE-2021-28099

MEDIUM

Netflix OSS Hollow - Info Disclosure

Title source: llm

Description

In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.

References (1)

[Third Party Advisory] https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-001.md

View Writeup ZIP pw:eip

Scores

CVSS v3 4.4

EPSS 0.0003

EPSS Percentile 10.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-330

Status published

Products (2)

com.netflix.hollow/hollow 0Maven

netflix/hollow

Published Mar 23, 2021

Tracked Since Feb 18, 2026