CWE-377
Allowed-with-ReviewInsecure Temporary File
Abstraction: Class · Status: Incomplete
Creating and using insecure temporary files can leave application and system data vulnerable to attack.
170 vulnerabilities reference this CWE, most recent first.
GHSA-QXXC-7MQ4-MF79
Vulnerability from github – Published: 2023-01-12 06:30 – Updated: 2023-01-20 22:03Versions of the package com.fasterxml.util:java-merge-sort before 1.1.0 are vulnerable to Insecure Temporary File in the StdTempFileProvider() function in StdTempFileProvider.java, which uses the permissive File.createTempFile() function, exposing temporary file contents.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.util:java-merge-sort"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24913"
],
"database_specific": {
"cwe_ids": [
"CWE-377",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-12T20:55:23Z",
"nvd_published_at": "2023-01-12T05:15:00Z",
"severity": "MODERATE"
},
"details": "Versions of the package `com.fasterxml.util:java-merge-sort` before 1.1.0 are vulnerable to Insecure Temporary File in the `StdTempFileProvider()` function in `StdTempFileProvider.java`, which uses the permissive `File.createTempFile()` function, exposing temporary file contents.",
"id": "GHSA-qxxc-7mq4-mf79",
"modified": "2023-01-20T22:03:35Z",
"published": "2023-01-12T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24913"
},
{
"type": "WEB",
"url": "https://github.com/cowtowncoder/java-merge-sort/pull/21"
},
{
"type": "WEB",
"url": "https://github.com/cowtowncoder/java-merge-sort/commit/450fdee70b5f181c2afc5d817f293efa1a543902"
},
{
"type": "PACKAGE",
"url": "https://github.com/cowtowncoder/java-merge-sort"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLUTIL-3227926"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Java Merge-sort Insecure Temporary File vulnerability"
}
GHSA-R225-6X7C-4Q3H
Vulnerability from github – Published: 2025-09-29 18:33 – Updated: 2025-09-29 18:33bash-git-prompt 2.6.1 through 2.7.1 insecurely uses the /tmp/git-index-private$$ file, which has a predictable name.
{
"affected": [],
"aliases": [
"CVE-2025-61659"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-29T17:15:32Z",
"severity": "MODERATE"
},
"details": "bash-git-prompt 2.6.1 through 2.7.1 insecurely uses the /tmp/git-index-private$$ file, which has a predictable name.",
"id": "GHSA-r225-6x7c-4q3h",
"modified": "2025-09-29T18:33:13Z",
"published": "2025-09-29T18:33:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61659"
},
{
"type": "WEB",
"url": "https://github.com/magicmonty/bash-git-prompt/issues/561"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-R35R-FPX2-JGR4
Vulnerability from github – Published: 2026-07-06 20:31 – Updated: 2026-07-06 20:31Summary
The SQLite databases are created at predictable (static) paths in /tmp. Any user can therefore create a symlink at these paths in /tmp pointing to arbitrary files. The monitoring scripts then follows these symlinks and then creates their database at the symlink target.
This becomes really dangerous for the scripts which can be executed as root with sudo. With this, an attacker can write to abitrary paths.
PoC
The docker-stats check command here as an example. Because writing to /tmp is the default behaviour, the other check commands which use a SQLite database are also very likely affected.
# Create the symlink as nagios user
nagios@test-server:/tmp$ ln -s /root/nagios-was-here /tmp/linuxfabrik-monitoring-plugins-docker-stats.db
# Trigger the execution nagios user
nagios@test-server:/tmp$ sudo /usr/lib64/nagios/plugins/docker-stats
Check whether or not file was created.
root@test-server:/# file /root/nagios-was-here
/root/nagios-was-here: SQLite 3.x database, last written using SQLite version 3046001, file counter 2, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Impact
In it's basic form, this vulnerbility can lead to a denial of service, impacting users who use the provided sudoers file and who didn't take any special precautions like systemd's PrivateTemp. It requires that an attacker already compromised the nagios account (which is quite a high barrier to be honest).
If any application on the server relies on a SQLite database, there are scenarios where this vulnerability allows for content in existing SQLite databases to be modified. An attacker could let the symlink point to an existing SQLite database and create in /tmp a specially-crafted SQLite Rollback Journal (.db-journal) or Write-Ahead-Log (.db-wal), which is then applied to the database.
Fix
A proposed fix would be to create a separate directory inside /tmp per user (e.g.,/tmp/linuxfabrik-monitoring-plugins-{os.geteuid()}). After creating this directory (or using an already existing one), check the following:
# Use os.lstat() instead of os.stat() so we don't accidentally follow symlinks
dir_stat = os.lstat(TMP_DIR_PATH)
# Ensure the directory is a real dir and not a Symlink
if not stat.S_ISDIR(dir_stat.st_mode):
# abort the execution
sys.exit(1)
# Verify the owner
if dir_stat.st_uid != os.getuid():
# abort the execution
sys.exit(1)
# Verify the permissions
if (dir_stat.st_mode & 0o077) != 0:
# abort the execution
sys.exit(1)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "linuxfabrik-lib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53759"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-06T20:31:43Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\nThe SQLite databases are created at predictable (static) paths in `/tmp`. Any user can therefore create a symlink at these paths in /tmp pointing to arbitrary files. The monitoring scripts then follows these symlinks and then creates their database at the symlink target.\nThis becomes really dangerous for the scripts which can be executed as root with sudo. With this, an attacker can write to abitrary paths.\n\n### PoC\nThe docker-stats check command here as an example. Because writing to /tmp is the default behaviour, the other check commands which use a SQLite database are also very likely affected.\n```\n# Create the symlink as nagios user\nnagios@test-server:/tmp$ ln -s /root/nagios-was-here /tmp/linuxfabrik-monitoring-plugins-docker-stats.db\n# Trigger the execution nagios user\nnagios@test-server:/tmp$ sudo /usr/lib64/nagios/plugins/docker-stats\n```\nCheck whether or not file was created.\n```\nroot@test-server:/# file /root/nagios-was-here\n/root/nagios-was-here: SQLite 3.x database, last written using SQLite version 3046001, file counter 2, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 2\n```\n\n### Impact\nIn it\u0027s basic form, this vulnerbility can lead to a denial of service, impacting users who use the provided sudoers file and who didn\u0027t take any special precautions like systemd\u0027s `PrivateTemp`. It requires that an attacker already compromised the nagios account (which is quite a high barrier to be honest).\n\nIf any application on the server relies on a SQLite database, there are scenarios where this vulnerability allows for content in existing SQLite databases to be modified. An attacker could let the symlink point to an existing SQLite database and create in /tmp a specially-crafted SQLite Rollback Journal (`.db-journal`) or Write-Ahead-Log (`.db-wal`), which is then applied to the database.\n\n### Fix\nA proposed fix would be to create a separate directory inside /tmp per user (e.g.,` /tmp/linuxfabrik-monitoring-plugins-{os.geteuid()}`). After creating this directory (or using an already existing one), check the following:\n```\n# Use os.lstat() instead of os.stat() so we don\u0027t accidentally follow symlinks\ndir_stat = os.lstat(TMP_DIR_PATH)\n\n# Ensure the directory is a real dir and not a Symlink\nif not stat.S_ISDIR(dir_stat.st_mode):\n # abort the execution\n sys.exit(1)\n\n# Verify the owner\nif dir_stat.st_uid != os.getuid():\n # abort the execution\n sys.exit(1)\n\n# Verify the permissions\nif (dir_stat.st_mode \u0026 0o077) != 0:\n # abort the execution\n sys.exit(1)\n```",
"id": "GHSA-r35r-fpx2-jgr4",
"modified": "2026-07-06T20:31:43Z",
"published": "2026-07-06T20:31:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Linuxfabrik/monitoring-plugins/security/advisories/GHSA-r35r-fpx2-jgr4"
},
{
"type": "PACKAGE",
"url": "https://github.com/Linuxfabrik/monitoring-plugins"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Linuxfabrik Monitoring Plugins allow insecure creation of SQLite databases"
}
GHSA-R5HP-3CGJ-J6XV
Vulnerability from github – Published: 2026-04-28 09:34 – Updated: 2026-05-06 19:52In Spring AI, having access to a shared environment can expose the ONNX model used by the application.
Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.ai:spring-ai-transformers"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.ai:spring-ai-transformers"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.0"
},
{
"fixed": "1.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40979"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T19:52:09Z",
"nvd_published_at": "2026-04-28T09:16:16Z",
"severity": "MODERATE"
},
"details": "In Spring AI, having access to a shared environment can expose the ONNX model used by the application.\n\nAffected versions:\nSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)",
"id": "GHSA-r5hp-3cgj-j6xv",
"modified": "2026-05-06T19:52:09Z",
"published": "2026-04-28T09:34:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40979"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-projects/spring-ai"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2026-40979"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spring AI\u0027s ONNX model cache defaults to world-writable predictable /tmp directory"
}
GHSA-R5X9-XQ27-VVXH
Vulnerability from github – Published: 2026-01-07 12:31 – Updated: 2026-01-07 12:31Insecure Temporary File vulnerability in Altera Quartus Prime Standard
Installer (SFX)
on Windows, Altera Quartus Prime Lite
Installer (SFX)
on Windows allows Explore for Predictable Temporary File Names.This issue affects Quartus Prime Standard: from 23.1 through 24.1; Quartus Prime Lite: from 23.1 through 24.1.
{
"affected": [],
"aliases": [
"CVE-2025-14614"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-07T12:16:55Z",
"severity": "MODERATE"
},
"details": "Insecure Temporary File vulnerability in Altera Quartus Prime Standard\u00a0\n\nInstaller (SFX)\n\n on Windows, Altera Quartus Prime Lite\u00a0\n\nInstaller (SFX)\n\n on Windows allows Explore for Predictable Temporary File Names.This issue affects Quartus Prime Standard: from 23.1 through 24.1; Quartus Prime Lite: from 23.1 through 24.1.",
"id": "GHSA-r5x9-xq27-vvxh",
"modified": "2026-01-07T12:31:22Z",
"published": "2026-01-07T12:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14614"
},
{
"type": "WEB",
"url": "https://www.altera.com/security/security-advisory/asa-0005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RC83-8WMP-V9VX
Vulnerability from github – Published: 2023-07-11 18:31 – Updated: 2024-04-04 05:58Insecure temporary file in the installer for Zoom Rooms before version 5.15.0 may allow an authenticated user to enable an escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2023-34119"
],
"database_specific": {
"cwe_ids": [
"CWE-377",
"CWE-426",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-11T18:15:16Z",
"severity": "HIGH"
},
"details": " Insecure temporary file in the installer for Zoom Rooms before version 5.15.0 may allow an authenticated user to enable an escalation of privilege via local access.\n",
"id": "GHSA-rc83-8wmp-v9vx",
"modified": "2024-04-04T05:58:24Z",
"published": "2023-07-11T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34119"
},
{
"type": "WEB",
"url": "https://explore.zoom.us/en/trust/security/security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RFW8-HF5P-PVFC
Vulnerability from github – Published: 2024-10-25 03:31 – Updated: 2024-10-25 03:31A vulnerability classified as problematic was found in chidiwilliams buzz 1.1.0. This vulnerability affects the function download_model of the file buzz/model_loader.py. The manipulation leads to insecure temporary file. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-10372"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-25T02:15:03Z",
"severity": "LOW"
},
"details": "A vulnerability classified as problematic was found in chidiwilliams buzz 1.1.0. This vulnerability affects the function download_model of the file buzz/model_loader.py. The manipulation leads to insecure temporary file. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-rfw8-hf5p-pvfc",
"modified": "2024-10-25T03:31:32Z",
"published": "2024-10-25T03:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10372"
},
{
"type": "WEB",
"url": "https://github.com/Startr4ck/CVE_lists/blob/main/buzz/Insecure%20Temporary%20File%20in%20BUZZ.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.281764"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.281764"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.425441"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RG43-4X9M-W9JH
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43A Insecure Temporary File vulnerability in the packaging of cyrus-sasl of openSUSE Factory allows local attackers to escalate to root. This issue affects: openSUSE Factory cyrus-sasl version 2.1.27-4.2 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2020-8032"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-25T10:15:00Z",
"severity": "HIGH"
},
"details": "A Insecure Temporary File vulnerability in the packaging of cyrus-sasl of openSUSE Factory allows local attackers to escalate to root. This issue affects: openSUSE Factory cyrus-sasl version 2.1.27-4.2 and prior versions.",
"id": "GHSA-rg43-4x9m-w9jh",
"modified": "2022-05-24T17:43:02Z",
"published": "2022-05-24T17:43:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8032"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1180669"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RG9H-VX28-XXP5
Vulnerability from github – Published: 2025-10-13 18:31 – Updated: 2025-10-13 21:02The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "llama-index"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-7707"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-13T21:02:28Z",
"nvd_published_at": "2025-10-13T17:15:35Z",
"severity": "HIGH"
},
"details": "The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.",
"id": "GHSA-rg9h-vx28-xxp5",
"modified": "2025-10-13T21:02:28Z",
"published": "2025-10-13T18:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7707"
},
{
"type": "WEB",
"url": "https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4"
},
{
"type": "PACKAGE",
"url": "https://github.com/run-llama/llama_index"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/3fe2c8ab-6727-4aef-a0ef-4d2818e48803"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "llama-index has Insecure Temporary File"
}
GHSA-V5C9-98F7-2H54
Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2023-08-29 19:54Hadoop 1.0.3 contains a symlink vulnerability as a result of storing pid files in the shared /tmp directory by default.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.3"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.hadoop:hadoop-main"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2012-2945"
],
"database_specific": {
"cwe_ids": [
"CWE-377",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-29T19:54:42Z",
"nvd_published_at": "2019-10-29T19:15:00Z",
"severity": "HIGH"
},
"details": "Hadoop 1.0.3 contains a symlink vulnerability as a result of storing pid files in the shared `/tmp` directory by default.",
"id": "GHSA-v5c9-98f7-2h54",
"modified": "2023-08-29T19:54:42Z",
"published": "2022-04-23T00:40:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2945"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535861"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/hadoop"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2012/Jul/3"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2945"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hadoop symlink vulnerability"
}
No mitigation information available for this CWE.
CAPEC-149: Explore for Predictable Temporary File Names
An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target. This involves analyzing naming conventions and storage locations of the temporary files created by a target application. If an attacker can predict the names of temporary files they can use this information to mount other attacks, such as information gathering and symlink attacks.
CAPEC-155: Screen Temporary Files for Sensitive Information
An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache.