Vulnerability: Insecure Directory Creation and Predictable File Names in Netflix OSS Hollow

Vulnerability: Insecure Directory Creation and Predictable File Names in Netflix OSS Hollow

CVE-2021-28099 · MEDIUM Severity

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.

Learn more about our Web Application Penetration Testing UK.