CVE-2021-28099

Summary

In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.

Affected Software

VendorProductVersion RangeStatus
n/aNetflix OSS HollowAll versionsaffected

Weaknesses

  • Local Information Disclosure

ADP Enrichment

CVE Program Container

Additional References

References