Vulnerability: Insecure Directory Creation and Predictable File Names in Netflix OSS Hollow
CVE-2021-28099 · MEDIUM Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically calculated.
Learn more about our Web Application Penetration Testing UK.