Common Weakness Enumeration

CWE-377

Allowed-with-Review

Insecure Temporary File

Abstraction: Class · Status: Incomplete

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

170 vulnerabilities reference this CWE, most recent first.

GHSA-QXXC-7MQ4-MF79

Vulnerability from github – Published: 2023-01-12 06:30 – Updated: 2023-01-20 22:03
VLAI
Summary
Java Merge-sort Insecure Temporary File vulnerability
Details

Versions of the package com.fasterxml.util:java-merge-sort before 1.1.0 are vulnerable to Insecure Temporary File in the StdTempFileProvider() function in StdTempFileProvider.java, which uses the permissive File.createTempFile() function, exposing temporary file contents.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.fasterxml.util:java-merge-sort"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24913"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-12T20:55:23Z",
    "nvd_published_at": "2023-01-12T05:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Versions of the package `com.fasterxml.util:java-merge-sort` before 1.1.0 are vulnerable to Insecure Temporary File in the `StdTempFileProvider()` function in `StdTempFileProvider.java`, which uses the permissive `File.createTempFile()` function, exposing temporary file contents.",
  "id": "GHSA-qxxc-7mq4-mf79",
  "modified": "2023-01-20T22:03:35Z",
  "published": "2023-01-12T06:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24913"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cowtowncoder/java-merge-sort/pull/21"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cowtowncoder/java-merge-sort/commit/450fdee70b5f181c2afc5d817f293efa1a543902"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cowtowncoder/java-merge-sort"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLUTIL-3227926"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Java Merge-sort Insecure Temporary File vulnerability"
}

GHSA-R225-6X7C-4Q3H

Vulnerability from github – Published: 2025-09-29 18:33 – Updated: 2025-09-29 18:33
VLAI
Details

bash-git-prompt 2.6.1 through 2.7.1 insecurely uses the /tmp/git-index-private$$ file, which has a predictable name.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-61659"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-29T17:15:32Z",
    "severity": "MODERATE"
  },
  "details": "bash-git-prompt 2.6.1 through 2.7.1 insecurely uses the /tmp/git-index-private$$ file, which has a predictable name.",
  "id": "GHSA-r225-6x7c-4q3h",
  "modified": "2025-09-29T18:33:13Z",
  "published": "2025-09-29T18:33:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61659"
    },
    {
      "type": "WEB",
      "url": "https://github.com/magicmonty/bash-git-prompt/issues/561"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R35R-FPX2-JGR4

Vulnerability from github – Published: 2026-07-06 20:31 – Updated: 2026-07-06 20:31
VLAI
Summary
Linuxfabrik Monitoring Plugins allow insecure creation of SQLite databases
Details

Summary

The SQLite databases are created at predictable (static) paths in /tmp. Any user can therefore create a symlink at these paths in /tmp pointing to arbitrary files. The monitoring scripts then follows these symlinks and then creates their database at the symlink target. This becomes really dangerous for the scripts which can be executed as root with sudo. With this, an attacker can write to abitrary paths.

PoC

The docker-stats check command here as an example. Because writing to /tmp is the default behaviour, the other check commands which use a SQLite database are also very likely affected.

# Create the symlink as nagios user
nagios@test-server:/tmp$ ln -s /root/nagios-was-here /tmp/linuxfabrik-monitoring-plugins-docker-stats.db
# Trigger the execution nagios user
nagios@test-server:/tmp$ sudo /usr/lib64/nagios/plugins/docker-stats

Check whether or not file was created.

root@test-server:/# file /root/nagios-was-here
/root/nagios-was-here: SQLite 3.x database, last written using SQLite version 3046001, file counter 2, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 2

Impact

In it's basic form, this vulnerbility can lead to a denial of service, impacting users who use the provided sudoers file and who didn't take any special precautions like systemd's PrivateTemp. It requires that an attacker already compromised the nagios account (which is quite a high barrier to be honest).

If any application on the server relies on a SQLite database, there are scenarios where this vulnerability allows for content in existing SQLite databases to be modified. An attacker could let the symlink point to an existing SQLite database and create in /tmp a specially-crafted SQLite Rollback Journal (.db-journal) or Write-Ahead-Log (.db-wal), which is then applied to the database.

Fix

A proposed fix would be to create a separate directory inside /tmp per user (e.g.,/tmp/linuxfabrik-monitoring-plugins-{os.geteuid()}). After creating this directory (or using an already existing one), check the following:

# Use os.lstat() instead of os.stat() so we don't accidentally follow symlinks
dir_stat = os.lstat(TMP_DIR_PATH)

# Ensure the directory is a real dir and not a Symlink
if not stat.S_ISDIR(dir_stat.st_mode):
  # abort the execution
  sys.exit(1)

# Verify the owner
if dir_stat.st_uid != os.getuid():
  # abort the execution
  sys.exit(1)

# Verify the permissions
if (dir_stat.st_mode & 0o077) != 0:
  # abort the execution
  sys.exit(1)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "linuxfabrik-lib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53759"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-06T20:31:43Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\nThe SQLite databases are created at predictable (static) paths in `/tmp`. Any user can therefore create a symlink at these paths in /tmp pointing to arbitrary files. The monitoring scripts then follows these symlinks and then creates their database at the symlink target.\nThis becomes really dangerous for the scripts which can be executed as root with sudo. With this, an attacker can write to abitrary paths.\n\n### PoC\nThe docker-stats check command here as an example. Because writing to /tmp is the default behaviour, the other check commands which use a SQLite database are also very likely affected.\n```\n# Create the symlink as nagios user\nnagios@test-server:/tmp$ ln -s /root/nagios-was-here /tmp/linuxfabrik-monitoring-plugins-docker-stats.db\n# Trigger the execution nagios user\nnagios@test-server:/tmp$ sudo /usr/lib64/nagios/plugins/docker-stats\n```\nCheck whether or not file was created.\n```\nroot@test-server:/# file /root/nagios-was-here\n/root/nagios-was-here: SQLite 3.x database, last written using SQLite version 3046001, file counter 2, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 2\n```\n\n### Impact\nIn it\u0027s basic form, this vulnerbility can lead to a denial of service, impacting users who use the provided sudoers file and who didn\u0027t take any special precautions like systemd\u0027s `PrivateTemp`. It requires that an attacker already compromised the nagios account (which is quite a high barrier to be honest).\n\nIf any application on the server relies on a SQLite database, there are scenarios where this vulnerability allows for content in existing SQLite databases to be modified. An attacker could let the symlink point to an existing SQLite database and create in /tmp a specially-crafted SQLite Rollback Journal (`.db-journal`) or Write-Ahead-Log (`.db-wal`), which is then applied to the database.\n\n### Fix\nA proposed fix would be to create a separate directory inside /tmp per user (e.g.,` /tmp/linuxfabrik-monitoring-plugins-{os.geteuid()}`). After creating this directory (or using an already existing one), check the following:\n```\n# Use os.lstat() instead of os.stat() so we don\u0027t accidentally follow symlinks\ndir_stat = os.lstat(TMP_DIR_PATH)\n\n# Ensure the directory is a real dir and not a Symlink\nif not stat.S_ISDIR(dir_stat.st_mode):\n  # abort the execution\n  sys.exit(1)\n\n# Verify the owner\nif dir_stat.st_uid != os.getuid():\n  # abort the execution\n  sys.exit(1)\n\n# Verify the permissions\nif (dir_stat.st_mode \u0026 0o077) != 0:\n  # abort the execution\n  sys.exit(1)\n```",
  "id": "GHSA-r35r-fpx2-jgr4",
  "modified": "2026-07-06T20:31:43Z",
  "published": "2026-07-06T20:31:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Linuxfabrik/monitoring-plugins/security/advisories/GHSA-r35r-fpx2-jgr4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Linuxfabrik/monitoring-plugins"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Linuxfabrik Monitoring Plugins allow insecure creation of SQLite databases"
}

GHSA-R5HP-3CGJ-J6XV

Vulnerability from github – Published: 2026-04-28 09:34 – Updated: 2026-05-06 19:52
VLAI
Summary
Spring AI's ONNX model cache defaults to world-writable predictable /tmp directory
Details

In Spring AI, having access to a shared environment can expose the ONNX model used by the application.

Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.ai:spring-ai-transformers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.ai:spring-ai-transformers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40979"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T19:52:09Z",
    "nvd_published_at": "2026-04-28T09:16:16Z",
    "severity": "MODERATE"
  },
  "details": "In Spring AI, having access to a shared environment can expose the ONNX model used by the application.\n\nAffected versions:\nSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)",
  "id": "GHSA-r5hp-3cgj-j6xv",
  "modified": "2026-05-06T19:52:09Z",
  "published": "2026-04-28T09:34:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40979"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spring-projects/spring-ai"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2026-40979"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Spring AI\u0027s ONNX model cache defaults to world-writable predictable /tmp directory"
}

GHSA-R5X9-XQ27-VVXH

Vulnerability from github – Published: 2026-01-07 12:31 – Updated: 2026-01-07 12:31
VLAI
Details

Insecure Temporary File vulnerability in Altera Quartus Prime Standard 

Installer (SFX)

on Windows, Altera Quartus Prime Lite 

Installer (SFX)

on Windows allows Explore for Predictable Temporary File Names.This issue affects Quartus Prime Standard: from 23.1 through 24.1; Quartus Prime Lite: from 23.1 through 24.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14614"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-07T12:16:55Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Temporary File vulnerability in Altera Quartus Prime Standard\u00a0\n\nInstaller (SFX)\n\n on Windows, Altera Quartus Prime Lite\u00a0\n\nInstaller (SFX)\n\n on Windows allows Explore for Predictable Temporary File Names.This issue affects Quartus Prime Standard: from 23.1 through 24.1; Quartus Prime Lite: from 23.1 through 24.1.",
  "id": "GHSA-r5x9-xq27-vvxh",
  "modified": "2026-01-07T12:31:22Z",
  "published": "2026-01-07T12:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14614"
    },
    {
      "type": "WEB",
      "url": "https://www.altera.com/security/security-advisory/asa-0005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RC83-8WMP-V9VX

Vulnerability from github – Published: 2023-07-11 18:31 – Updated: 2024-04-04 05:58
VLAI
Details

Insecure temporary file in the installer for Zoom Rooms before version 5.15.0 may allow an authenticated user to enable an escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34119"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377",
      "CWE-426",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-11T18:15:16Z",
    "severity": "HIGH"
  },
  "details": " Insecure temporary file in the installer for Zoom Rooms before version 5.15.0 may allow an authenticated user to enable an escalation of privilege via local access.\n",
  "id": "GHSA-rc83-8wmp-v9vx",
  "modified": "2024-04-04T05:58:24Z",
  "published": "2023-07-11T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34119"
    },
    {
      "type": "WEB",
      "url": "https://explore.zoom.us/en/trust/security/security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RFW8-HF5P-PVFC

Vulnerability from github – Published: 2024-10-25 03:31 – Updated: 2024-10-25 03:31
VLAI
Details

A vulnerability classified as problematic was found in chidiwilliams buzz 1.1.0. This vulnerability affects the function download_model of the file buzz/model_loader.py. The manipulation leads to insecure temporary file. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10372"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-25T02:15:03Z",
    "severity": "LOW"
  },
  "details": "A vulnerability classified as problematic was found in chidiwilliams buzz 1.1.0. This vulnerability affects the function download_model of the file buzz/model_loader.py. The manipulation leads to insecure temporary file. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-rfw8-hf5p-pvfc",
  "modified": "2024-10-25T03:31:32Z",
  "published": "2024-10-25T03:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10372"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Startr4ck/CVE_lists/blob/main/buzz/Insecure%20Temporary%20File%20in%20BUZZ.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.281764"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.281764"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.425441"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RG43-4X9M-W9JH

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43
VLAI
Details

A Insecure Temporary File vulnerability in the packaging of cyrus-sasl of openSUSE Factory allows local attackers to escalate to root. This issue affects: openSUSE Factory cyrus-sasl version 2.1.27-4.2 and prior versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-8032"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-25T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "A Insecure Temporary File vulnerability in the packaging of cyrus-sasl of openSUSE Factory allows local attackers to escalate to root. This issue affects: openSUSE Factory cyrus-sasl version 2.1.27-4.2 and prior versions.",
  "id": "GHSA-rg43-4x9m-w9jh",
  "modified": "2022-05-24T17:43:02Z",
  "published": "2022-05-24T17:43:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8032"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1180669"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RG9H-VX28-XXP5

Vulnerability from github – Published: 2025-10-13 18:31 – Updated: 2025-10-13 21:02
VLAI
Summary
llama-index has Insecure Temporary File
Details

The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "llama-index"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-7707"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-13T21:02:28Z",
    "nvd_published_at": "2025-10-13T17:15:35Z",
    "severity": "HIGH"
  },
  "details": "The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.",
  "id": "GHSA-rg9h-vx28-xxp5",
  "modified": "2025-10-13T21:02:28Z",
  "published": "2025-10-13T18:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7707"
    },
    {
      "type": "WEB",
      "url": "https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/run-llama/llama_index"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/3fe2c8ab-6727-4aef-a0ef-4d2818e48803"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "llama-index has Insecure Temporary File"
}

GHSA-V5C9-98F7-2H54

Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2023-08-29 19:54
VLAI
Summary
Hadoop symlink vulnerability
Details

Hadoop 1.0.3 contains a symlink vulnerability as a result of storing pid files in the shared /tmp directory by default.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.hadoop:hadoop-main"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2012-2945"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-29T19:54:42Z",
    "nvd_published_at": "2019-10-29T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Hadoop 1.0.3 contains a symlink vulnerability as a result of storing pid files in the shared `/tmp` directory by default.",
  "id": "GHSA-v5c9-98f7-2h54",
  "modified": "2023-08-29T19:54:42Z",
  "published": "2022-04-23T00:40:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2945"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535861"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/hadoop"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2012/Jul/3"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2012-2945"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hadoop symlink vulnerability"
}

No mitigation information available for this CWE.

CAPEC-149: Explore for Predictable Temporary File Names

An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target. This involves analyzing naming conventions and storage locations of the temporary files created by a target application. If an attacker can predict the names of temporary files they can use this information to mount other attacks, such as information gathering and symlink attacks.

CAPEC-155: Screen Temporary Files for Sensitive Information

An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache.