Bug 1922128 (CVE-2021-20202) - CVE-2021-20202 keycloak: Temporary Directory Hijacking Vulnerability in Keycloak
Summary: CVE-2021-20202 keycloak: Temporary Directory Hijacking Vulnerability in Keycloak
Alias: CVE-2021-20202
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1922126 1939880
TreeView+ depends on / blocked
Reported: 2021-01-29 10:17 UTC by Paramvir jindal
Modified: 2021-05-18 18:17 UTC (History)
41 users (show)

Fixed In Version: keycloak 13.0.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity.
Clone Of:
Last Closed: 2021-03-16 19:19:53 UTC

Attachments (Terms of Use)

Description Paramvir jindal 2021-01-29 10:17:07 UTC
This particular vulnerability exists because on unix-like systems (not including MacOS) the system temporary directory is shared between all users.
As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.
In the worse case scenario, this can lead to a local privilege escalation vulnerability.

An attacker can create these directories before the java process creates them, but with wider user permissions. Since these directory names are not in any way random, the attacker can simply create these directories ahead of Keycloak. When this happens, the java process doesn't complain that the directories already exist, `mkdir` and `mkdirs` simply return false.

However, assuming that the java process is the first thing to create these directories, `mkdir` and `mkdirs` will only set the directory following the default umask (I believe); by default that means that these directories are created with the permissions `drwxr-xr-x`.
Thus allowing a malicious local user to read the contents of this temporary directory.
The safest protections are to switch to the `Files` API that allow you to exclusively set the file permissions when creating the directories. Or use the `Files` API's for creating temporary directories.


Comment 4 Paramvir jindal 2021-02-01 08:43:13 UTC

Name: Jonathan Leitschuh (twitter handler : JLLeitschuh)

Comment 5 Eric Christensen 2021-02-16 20:22:29 UTC

By switching to the `Files` API, you are allowed to exclusively set the file permissions when creating directories or creating temporary directories.

Comment 7 Product Security DevOps Team 2021-03-16 19:19:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.