CVE-2021-21331
CVE-2021-21331 is a low-severity vulnerability in Datadoghq Datadog-api-client-java with a CVSS 3.x base score of 3.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-378.
Key facts
- Severity: Low (CVSS 3.x base score 3.0)
- CVSS v2: 4.3
- EPSS exploit prediction: 1% (43rd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-378
- Affected product: Datadoghq Datadog-api-client-java
- Published:
- Last modified:
Description
The Java client for the Datadog API before version 1.0.0-beta.9 has a local information disclosure of sensitive information downloaded via the API using the API Client. The Datadog API is executed on a unix-like system with multiple users. The API is used to download a file containing sensitive information. This sensitive information is exposed locally to other users. This vulnerability exists in the API Client for version 1 and 2. The method `prepareDownloadFilecreates` creates a temporary file with the permissions bits of `-rw-r--r--` on unix-like systems. On unix-like systems, the system temporary directory is shared between users. As such, the contents of the file downloaded via the `downloadFileFromResponse` method will be visible to all other users on the local system. Analysis of the finding determined that the affected code was unused, meaning that the exploitation likelihood is low. The unused code has been removed, effectively mitigating this issue. This issue has been patched in version 1.0.0-beta.9. As a workaround one may specify `java.io.tmpdir` when starting the JVM with the flag `-Djava.io.tmpdir`, specifying a path to a directory with `drw-------` permissions owned by `dd-agent`.
Frequently asked questions
- What is CVE-2021-21331?
- The Java client for the Datadog API before version 1.0.0-beta.9 has a local information disclosure of sensitive information downloaded via the API using the API Client. The Datadog API is executed on a unix-like system with multiple users. The API is used to download a file containing sensitive information. This sensitive information is exposed locally to other users. This vulnerability exists in the API Client for version 1 and 2. The method `prepareDownloadFilecreates` creates a temporary file with the permissions bits of `-rw-r--r--` on unix-like systems. On unix-like systems, the system temporary directory is shared between users. As such, the contents of the file downloaded via the `downloadFileFromResponse` method will be visible to all other users on the local system. Analysis of the finding determined that the affected code was unused, meaning that the exploitation likelihood is low. The unused code has been removed, effectively mitigating this issue. This issue has been patched in version 1.0.0-beta.9. As a workaround one may specify `java.io.tmpdir` when starting the JVM with the flag `-Djava.io.tmpdir`, specifying a path to a directory with `drw-------` permissions owned by `dd-agent`.
- How severe is CVE-2021-21331?
- CVE-2021-21331 has a CVSS 3.x base score of 3.0, rated low severity. It is exploitable over network with high attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2021-21331 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (43rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-21331?
- CVE-2021-21331 primarily affects Datadoghq Datadog-api-client-java. In total, 8 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-21331?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2021-21331 published?
- CVE-2021-21331 was published on 2021-03-03 and last updated on 2026-06-17.
References
- https://github.com/DataDog/datadog-api-client-java/releases/tag/datadog-api-client-1.0.0-beta.9
- https://github.com/DataDog/datadog-api-client-java/security/advisories/GHSA-2cxf-6567-7pp6
Affected products (8)
- cpe:2.3:a:datadoghq:datadog-api-client-java:1.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:datadoghq:datadog-api-client-java:1.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:datadoghq:datadog-api-client-java:1.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:datadoghq:datadog-api-client-java:1.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:datadoghq:datadog-api-client-java:1.0.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:datadoghq:datadog-api-client-java:1.0.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:datadoghq:datadog-api-client-java:1.0.0:beta7:*:*:*:*:*:*
- cpe:2.3:a:datadoghq:datadog-api-client-java:1.0.0:beta8:*:*:*:*:*:*
Other CWE-378 vulnerabilities
- CVE-2024-39872 — Critical (CVSS 9.6): A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application…
- CVE-2025-32438 — High (CVSS 8.8): make-initrd-ng is a tool for copying binaries and their dependencies. Local privilege escalation affecting all NixOS…
- CVE-2025-27148 — High (CVSS 8.8): Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. On Unix-like…
- CVE-2021-29428 — High (CVSS 8.8): In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions…
- CVE-2026-33572 — High (CVSS 8.4): OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local…
- CVE-2026-4137 — High (CVSS 7.8): In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py`…