Common Weakness Enumeration

CWE-378

Allowed

Creation of Temporary File With Insecure Permissions

Abstraction: Base · Status: Draft

Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.

85 vulnerabilities reference this CWE, most recent first.

GHSA-9Q8J-CHC7-WPGP

Vulnerability from github – Published: 2026-03-29 15:30 – Updated: 2026-04-06 22:46
VLAI
Summary
Duplicate Advisory: OpenClaw session transcript files were created without forced user-only permissions
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-vr7j-g7jv-h5mp. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-378"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-06T22:46:19Z",
    "nvd_published_at": "2026-03-29T13:17:02Z",
    "severity": "MODERATE"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-vr7j-g7jv-h5mp. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.",
  "id": "GHSA-9q8j-chc7-wpgp",
  "modified": "2026-04-06T22:46:20Z",
  "published": "2026-03-29T15:30:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vr7j-g7jv-h5mp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33572"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/095d522099653367e1b76fa5bb09d4ddf7c8a57c"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-insufficient-file-permissions-in-session-transcript-files"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw session transcript files were created without forced user-only permissions",
  "withdrawn": "2026-04-06T22:46:19Z"
}

GHSA-9RRV-W2Q8-6FWM

Vulnerability from github – Published: 2026-01-13 18:31 – Updated: 2026-01-13 18:31
VLAI
Details

Dell SupportAssist OS Recovery, versions prior to 5.5.15.1, contain a Creation of Temporary File With Insecure Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46685"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-378"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-13T17:15:57Z",
    "severity": "HIGH"
  },
  "details": "Dell SupportAssist OS Recovery, versions prior to 5.5.15.1, contain a Creation of Temporary File With Insecure Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.",
  "id": "GHSA-9rrv-w2q8-6fwm",
  "modified": "2026-01-13T18:31:07Z",
  "published": "2026-01-13T18:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46685"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000401506/dsa-2025-456"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C43Q-5HPJ-4CRV

Vulnerability from github – Published: 2021-04-23 16:55 – Updated: 2021-04-22 19:22
VLAI
Summary
Local information disclosure via system temporary directory
Details

Impact

Eclipse Jersey 2.28 - 2.33 and Eclipse Jersey 3.0.0 - 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.

Workaround

This issue can be mitigated by manually setting the java.io.tmpdir system property when launching the JVM.

Patches

Jersey 2.34 and 3.0.2 forward sets the correct permissions on the temporary file created by Jersey.

References

Similar Vulnerabilities

Similar, but not the same:

  • JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp
  • Google Guava - https://github.com/google/guava/issues/4011
  • Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945
  • JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824
  • Eclipse Jetty - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6

Original Disclosure:

Hello Jersey Security Team,

Utilizing a custom CodeQL query written as a part of the GitHub Security Lab Bug Bounty program, I've unearthed a local temporary file information disclosure vulnerability.

You can see the custom CodeQL query utilized here: https://lgtm.com/query/8831016213790320486/

This particular vulnerability exists because on unix-like systems (not including modern versions of MacOS) the system temporary directory is shared between all users. As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.

This vulnerability impacts the following locations in this project's source:

  • https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/FileProvider.java#L64-L73
  • https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/media/multipart/src/main/java/org/glassfish/jersey/media/multipart/internal/FormDataParamValueParamProvider.java#L202-L208

This vulnerability exists because of the vulnerability in the Utils.createTempFile:

https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java#L42-L53

This is because File.createTempFile creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system.

If there is sensitive information written to these files, it is disclosed to other local users on this system.

The fix for this vulnerability is to use the Files API (instead of the File API) to create temporary files/directories as this new API correctly sets the posix file permissions.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.33"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.glassfish.jersey.core:jersey-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.28"
            },
            {
              "fixed": "2.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.glassfish.jersey.core:jersey-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-28168"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-378",
      "CWE-379",
      "CWE-668",
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-22T19:22:31Z",
    "nvd_published_at": "2021-04-22T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\nEclipse Jersey 2.28 - 2.33 and Eclipse Jersey 3.0.0 - 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the `File.createTempFile` which creates a file inside of the system temporary directory with the permissions: `-rw-r--r--`. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.\n\n## Workaround\n\nThis issue can be mitigated by manually setting the `java.io.tmpdir` system property when launching the JVM.\n\n## Patches\n\nJersey 2.34 and 3.0.2 forward sets the correct permissions on the temporary file created by Jersey.\n\n### References\n \n - https://github.com/eclipse-ee4j/jersey/pull/4712\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n\n## Similar Vulnerabilities\n\nSimilar, but not the same:\n\n - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\n - Google Guava - https://github.com/google/guava/issues/4011\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\n - Eclipse Jetty - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\n\n\n---\n\nOriginal Disclosure:\n\n\u003e Hello Jersey Security Team,\n\u003e \n\u003e Utilizing a custom CodeQL query written as a part of the [GitHub Security Lab](https://securitylab.github.com/) [Bug Bounty program](https://securitylab.github.com/bounties), I\u0027ve unearthed a local temporary file information disclosure vulnerability.\n\u003e \n\u003e You can see the custom CodeQL query utilized here:\n\u003e https://lgtm.com/query/8831016213790320486/\n\u003e \n\u003e This particular vulnerability exists because on unix-like systems (not including modern versions of MacOS) the system temporary directory is shared between all users. As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.\n\u003e \n\u003e This vulnerability impacts the following locations in this project\u0027s source:\n\u003e \n\u003e  - https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/FileProvider.java#L64-L73\n\u003e  - https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/media/multipart/src/main/java/org/glassfish/jersey/media/multipart/internal/FormDataParamValueParamProvider.java#L202-L208\n\u003e \n\u003e This vulnerability exists because of the vulnerability in the `Utils.createTempFile`:\n\u003e \n\u003e https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java#L42-L53\n\u003e \n\u003e This is because `File.createTempFile` creates a file inside of the system temporary directory with the permissions: `-rw-r--r--`. Thus the contents of this file are viewable by all other users locally on the system.\n\u003e \n\u003e If there is sensitive information written to these files, it is disclosed to other local users on this system.\n\u003e \n\u003e The fix for this vulnerability is to use the `Files` API (instead of the `File` API) to create temporary files/directories as this new API correctly sets the posix file permissions.",
  "id": "GHSA-c43q-5hpj-4crv",
  "modified": "2021-04-22T19:22:31Z",
  "published": "2021-04-23T16:55:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28168"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-ee4j/jersey/pull/4712"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc@%3Cdev.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1@%3Ccommits.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359@%3Cdev.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa@%3Ccommits.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Local information disclosure via system temporary directory"
}

GHSA-CQXR-XF2W-943W

Vulnerability from github – Published: 2021-05-11 00:05 – Updated: 2022-10-25 20:33
VLAI
Summary
Creation of Temporary File in Directory with Insecure Permissions in auto-generated Java, Scala code
Details

Impact

This vulnerability impacts generated code. If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually!

On Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default umask settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions -rw-r--r-- and drwxr-xr-x respectively, unless an API that explicitly sets safe file permissions is used.

This vulnerability exists due to the use of the JDK method File.createTempFile. This method creates an insecure temporary files that can leave application and system data vulnerable to exposure.

Auto-generated code (Java, Scala) that deals with uploading or downloading binary data through API endpoints will create insecure temporary files during the process. For example, if the API endpoint returns a PDF file, the auto-generated clients will first download the PDF into a insecure temporary file that can be read by anyone on the system.

Affected generators: - Java - okhttp-gson (default library) https://github.com/OpenAPITools/openapi-generator/blob/d85f61ff0cfd6b8cd7063a63f302998a51466269/modules/openapi-generator/src/main/resources/Java/libraries/okhttp-gson/ApiClient.mustache#L1085-L1088 - jersey2 https://github.com/OpenAPITools/openapi-generator/blob/d85f61ff0cfd6b8cd7063a63f302998a51466269/modules/openapi-generator/src/main/resources/Java/libraries/jersey2/ApiClient.mustache#L1035-L1038 - resteasy https://github.com/OpenAPITools/openapi-generator/blob/d85f61ff0cfd6b8cd7063a63f302998a51466269/modules/openapi-generator/src/main/resources/Java/libraries/resteasy/ApiClient.mustache#L604-L607 - retrofit2 https://github.com/OpenAPITools/openapi-generator/blob/d85f61ff0cfd6b8cd7063a63f302998a51466269/modules/openapi-generator/src/main/resources/Java/libraries/retrofit2/play26/ApiClient.mustache#L202-L208 - Scala - scala-finch https://github.com/OpenAPITools/openapi-generator/blob/764a3b044c19fadf4a0789473cde96a65b77868a/modules/openapi-generator/src/main/resources/scala-finch/api.mustache#L83-L88 - scala-akka https://github.com/OpenAPITools/openapi-generator/blob/150e24dc553a8ea5230ffb938ed3e6020e972faa/modules/openapi-generator/src/main/resources/scala-akka-http-server/multipartDirectives.mustache#L71-L73

Patches

The issue has been patched by changing the generated code to use the JDK method Files.createTempFile and released in the v5.1.0 stable version.

This vulnerability has the same root cause as CVE-2021-21364 from the swagger-api/swagger-codegen project as this project and that one both share the same original source tree. https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-hpv8-9rq5-hq7w

For more information

If you have any questions or comments about this advisory: * Open an issue in OpenAPI Generator Github repo * Email us at security@openapitools.org

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.openapitools:openapi-generator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-377",
      "CWE-378",
      "CWE-379",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-10T19:25:35Z",
    "nvd_published_at": "2021-05-10T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n**This vulnerability impacts generated code.** If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually!\n\nOn Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default `umask` settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions `-rw-r--r--` and `drwxr-xr-x` respectively, unless an API that explicitly sets safe file permissions is used.\n\nThis vulnerability exists due to the use of the JDK method `File.createTempFile`. This method creates an insecure temporary files that can leave application and system data vulnerable to exposure.\n\nAuto-generated code (Java, Scala) that deals with uploading or downloading binary data through API endpoints will create insecure temporary files during the process. For example, if the API endpoint returns a PDF file, the auto-generated clients will first download the PDF into a insecure temporary file that can be read by anyone on the system.\n\nAffected generators: \n - Java\n   - `okhttp-gson` (default library)\n     https://github.com/OpenAPITools/openapi-generator/blob/d85f61ff0cfd6b8cd7063a63f302998a51466269/modules/openapi-generator/src/main/resources/Java/libraries/okhttp-gson/ApiClient.mustache#L1085-L1088\n   - `jersey2`\n     https://github.com/OpenAPITools/openapi-generator/blob/d85f61ff0cfd6b8cd7063a63f302998a51466269/modules/openapi-generator/src/main/resources/Java/libraries/jersey2/ApiClient.mustache#L1035-L1038\n   - `resteasy`\n     https://github.com/OpenAPITools/openapi-generator/blob/d85f61ff0cfd6b8cd7063a63f302998a51466269/modules/openapi-generator/src/main/resources/Java/libraries/resteasy/ApiClient.mustache#L604-L607\n   - `retrofit2`\n      https://github.com/OpenAPITools/openapi-generator/blob/d85f61ff0cfd6b8cd7063a63f302998a51466269/modules/openapi-generator/src/main/resources/Java/libraries/retrofit2/play26/ApiClient.mustache#L202-L208\n - Scala\n   - `scala-finch`\n      https://github.com/OpenAPITools/openapi-generator/blob/764a3b044c19fadf4a0789473cde96a65b77868a/modules/openapi-generator/src/main/resources/scala-finch/api.mustache#L83-L88\n   - `scala-akka`\n      https://github.com/OpenAPITools/openapi-generator/blob/150e24dc553a8ea5230ffb938ed3e6020e972faa/modules/openapi-generator/src/main/resources/scala-akka-http-server/multipartDirectives.mustache#L71-L73\n\n### Patches\n\nThe issue has been patched by changing the generated code to use the JDK method `Files.createTempFile` and released in the v5.1.0 stable version.\n\nThis vulnerability has the same root cause as CVE-2021-21364 from the `swagger-api/swagger-codegen` project as this project and that one both share the same original source tree.\nhttps://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-hpv8-9rq5-hq7w\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [OpenAPI Generator Github repo](https://github.com/openAPITools/openapi-generator/)\n* Email us at [security@openapitools.org](mailto:security@openapitools.org)",
  "id": "GHSA-cqxr-xf2w-943w",
  "modified": "2022-10-25T20:33:52Z",
  "published": "2021-05-11T00:05:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-cqxr-xf2w-943w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21430"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenAPITools/openapi-generator/pull/8787"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenAPITools/openapi-generator/pull/8791"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenAPITools/openapi-generator/pull/9348"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenAPITools/openapi-generator"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Creation of Temporary File in Directory with Insecure Permissions in auto-generated Java, Scala code"
}

GHSA-CR7Q-2W66-HJCM

Vulnerability from github – Published: 2025-09-27 18:30 – Updated: 2025-09-29 18:36
VLAI
Summary
llama-index-core insecurely handles temporary files
Details

The llama-index-core package, up to version 0.12.44, contains a vulnerability in the get_cache_dir() function where a predictable, hardcoded directory path /tmp/llama_index is used on Linux systems without proper security controls. This vulnerability allows attackers on multi-user systems to steal proprietary models, poison cached embeddings, or conduct symlink attacks. The issue affects all Linux deployments where multiple users share the same system. The vulnerability is classified under CWE-379, CWE-377, and CWE-367, indicating insecure temporary file creation and potential race conditions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "llama-index-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-7647"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-378"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-29T18:36:50Z",
    "nvd_published_at": "2025-09-27T17:15:33Z",
    "severity": "HIGH"
  },
  "details": "The llama-index-core package, up to version 0.12.44, contains a vulnerability in the `get_cache_dir()` function where a predictable, hardcoded directory path `/tmp/llama_index` is used on Linux systems without proper security controls. This vulnerability allows attackers on multi-user systems to steal proprietary models, poison cached embeddings, or conduct symlink attacks. The issue affects all Linux deployments where multiple users share the same system. The vulnerability is classified under CWE-379, CWE-377, and CWE-367, indicating insecure temporary file creation and potential race conditions.",
  "id": "GHSA-cr7q-2w66-hjcm",
  "modified": "2025-09-29T18:36:50Z",
  "published": "2025-09-27T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7647"
    },
    {
      "type": "WEB",
      "url": "https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/run-llama/llama_index"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/a2baa08f-98bf-47a8-ac83-06f7411afd9e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "llama-index-core insecurely handles temporary files"
}

GHSA-F2M9-WCF4-CWWX

Vulnerability from github – Published: 2026-05-18 21:31 – Updated: 2026-05-29 19:53
VLAI
Summary
MLFlow Creates a Temporary File With Insecure Permissions
Details

In mlflow/mlflow versions prior to 3.11.0, the get_or_create_nfs_tmp_dir() function in mlflow/utils/file_utils.py creates temporary directories with world-writable permissions (0o777), and the _create_model_downloading_tmp_dir() function in mlflow/pyfunc/__init__.py creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via cloudpickle.load(). This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mlflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-4137"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-378"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T19:53:36Z",
    "nvd_published_at": "2026-05-18T21:16:40Z",
    "severity": "HIGH"
  },
  "details": "In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via `cloudpickle.load()`. This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed.",
  "id": "GHSA-f2m9-wcf4-cwwx",
  "modified": "2026-05-29T19:53:36Z",
  "published": "2026-05-18T21:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4137"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlflow/mlflow/commit/1dcbb0c2fbd1f446c328830e601ca13a28219b8a"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-4x5p-f36r-mxxr"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mlflow/mlflow"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/648dc30b-76c7-4433-86b8-f43d926fd8d6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MLFlow Creates a Temporary File With Insecure Permissions "
}

GHSA-F5FW-25GW-5M92

Vulnerability from github – Published: 2024-09-25 09:30 – Updated: 2025-09-05 16:11
VLAI
Summary
Apache Hadoop: Temporary File Local Information Disclosure
Details

Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.hadoop:hadoop-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-23454"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-378"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-25T14:31:09Z",
    "nvd_published_at": "2024-09-25T08:15:04Z",
    "severity": "LOW"
  },
  "details": "Apache Hadoop\u2019s `RunJar.run()`\u00a0does not set permissions for temporary directory\u00a0by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users.",
  "id": "GHSA-f5fw-25gw-5m92",
  "modified": "2025-09-05T16:11:56Z",
  "published": "2024-09-25T09:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23454"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/hadoop/commit/8c2836402fbb2f619f1fef4ef625a8542e853a64"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/hadoop"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/HADOOP-19031"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/xlo7q8kn4tsjvx059r789oz19hzgfkfs"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20241101-0002"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/09/25/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Hadoop: Temporary File Local Information Disclosure"
}

GHSA-G3WG-6MCF-8JJ6

Vulnerability from github – Published: 2020-11-04 17:50 – Updated: 2023-11-27 23:07
VLAI
Summary
Local Temp Directory Hijacking Vulnerability
Details

Impact

On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.

Additionally, any user code uses of WebAppContext::getTempDirectory would similarly be vulnerable.

Additionally, any user application code using the ServletContext attribute for the tempdir will also be impacted. See: https://javaee.github.io/javaee-spec/javadocs/javax/servlet/ServletContext.html#TEMPDIR

For example:

import java.io.File;
import java.io.IOException;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class ExampleServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        File tempDir = (File)getServletContext().getAttribute(ServletContext.TEMPDIR); // Potentially compromised
        // do something with that temp dir
    }
}

Example: The JSP library itself will use the container temp directory for compiling the JSP source into Java classes before executing them.

CVSSv3.1 Evaluation

This vulnerability has been calculated to have a CVSSv3.1 score of 7.8/10 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Patches

Fixes were applied to the 9.4.x branch with: - https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b10984f4145701edb - https://github.com/eclipse/jetty.project/commit/9ad6beb80543b392c91653f6bfce233fc75b9d5f

These will be included in releases: 9.4.33, 10.0.0.beta3, 11.0.0.beta3

Workarounds

A work around is to set a temporary directory, either for the server or the context, to a directory outside of the shared temporary file system. For recent releases, a temporary directory can be created simple by creating a directory called work in the ${jetty.base} directory (the parent directory of the webapps directory). Alternately the java temporary directory can be set with the System Property java.io.tmpdir. A more detailed description of how jetty selects a temporary directory is below.

The Jetty search order for finding a temporary directory is as follows:

  1. If the WebAppContext has a temp directory specified, use it.
  2. If the ServletContext has the javax.servlet.context.tempdir attribute set, and if directory exists, use it.
  3. If a ${jetty.base}/work directory exists, use it (since Jetty 9.1)
  4. If a ServletContext has the org.eclipse.jetty.webapp.basetempdir attribute set, and if the directory exists, use it.
  5. Use System.getProperty("java.io.tmpdir") and use it.

Jetty will end traversal at the first successful step. To mitigate this vulnerability the directory must be set to one that is not writable by an attacker. To avoid information leakage, the directory should also not be readable by an attacker.

Setting a Jetty server temporary directory.

Choices 3 and 5 apply to the server level, and will impact all deployed webapps on the server.

For choice 3 just create that work directory underneath your ${jetty.base} and restart Jetty.

For choice 5, just specify your own java.io.tmpdir when you start the JVM for Jetty.

[jetty-distribution]$ java -Djava.io.tmpdir=/var/web/work -jar start.jar

Setting a Context specific temporary directory.

The rest of the choices require you to configure the context for that deployed webapp (seen as ${jetty.base}/webapps/<context>.xml)

Example (excluding the DTD which is version specific):

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
  <Set name="contextPath"><Property name="foo"/></Set>
  <Set name="war">/var/web/webapps/foo.war</Set>
  <Set name="tempDirectory">/var/web/work/foo</Set>
</Configure>

References

Similar Vulnerabilities

Similar, but not the same.

  • JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp
  • Google Guava - https://github.com/google/guava/issues/4011
  • Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945
  • JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824

For more information

The original report of this vulnerability is below:

On Thu, 15 Oct 2020 at 21:14, Jonathan Leitschuh jonathan.leitschuh@gmail.com wrote: Hi WebTide Security Team,

I'm a security researcher writing some custom CodeQL queries to find Local Temporary Directory Hijacking Vulnerabilities. One of my queries flagged an issue in Jetty.

https://lgtm.com/query/5615014766184643449/

I've recently been looking into security vulnerabilities involving the temporary directory because on unix-like systems, the system temporary directory is shared between all users. There exists a race condition between the deletion of the temporary file and the creation of the directory.

java // ensure file will always be unique by appending random digits tmpDir = File.createTempFile(temp, ".dir", parent); // Attacker knows the full path of the file that will be generated // delete the file that was created tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty. // and make a directory of the same name // SECURITY VULNERABILITY: Race Condition! - Attacker beats Jetty and now owns this directory tmpDir.mkdirs();

https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L511-L518

In several cases the parent parameter will not be the system temporary directory. However, there is one case where it will be, as the last fallback.

https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L467-L468

If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.

Would your team be willing to open a GitHub security advisory to continue the discussion and disclosure there? https://github.com/eclipse/jetty.project/security/advisories

This vulnerability disclosure follows Google's 90-day vulnerability disclosure policy (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.

Cheers, Jonathan Leitschuh

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-webapp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.4.33.v20201020"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.mortbay.jetty:jetty-webapp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.4.33"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.0.beta2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-webapp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0.beta1"
            },
            {
              "fixed": "10.0.0.beta3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.0.beta2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.mortbay.jetty:jetty-webapp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0.beta1"
            },
            {
              "fixed": "10.0.0.beta3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.0.0.beta2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-webapp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0.beta1"
            },
            {
              "fixed": "11.0.0.beta3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.0.0.beta2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.mortbay.jetty:jetty-webapp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0.beta1"
            },
            {
              "fixed": "11.0.0.beta3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-27216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-378",
      "CWE-379",
      "CWE-552"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-11-04T17:48:31Z",
    "nvd_published_at": "2020-10-23T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nOn Unix like systems, the system\u0027s temporary directory is shared between all users on that system.  A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory.  If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files.  If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.\n\nAdditionally, any user code uses of [WebAppContext::getTempDirectory](https://www.eclipse.org/jetty/javadoc/9.4.31.v20200723/org/eclipse/jetty/webapp/WebAppContext.html#getTempDirectory()) would similarly be vulnerable.\n\nAdditionally, any user application code using the `ServletContext` attribute for the tempdir will also be impacted.\nSee: https://javaee.github.io/javaee-spec/javadocs/javax/servlet/ServletContext.html#TEMPDIR\n\nFor example:\n```java\nimport java.io.File;\nimport java.io.IOException;\nimport javax.servlet.ServletContext;\nimport javax.servlet.ServletException;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\n\npublic class ExampleServlet extends HttpServlet {\n    @Override\n    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {\n        File tempDir = (File)getServletContext().getAttribute(ServletContext.TEMPDIR); // Potentially compromised\n        // do something with that temp dir\n    }\n}\n```\n\nExample: The JSP library itself will use the container temp directory for compiling the JSP source into Java classes before executing them.\n\n### CVSSv3.1 Evaluation\n\nThis vulnerability has been calculated to have a [CVSSv3.1 score of 7.8/10 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\u0026version=3.1)\n\n### Patches\nFixes were applied to the 9.4.x branch with:\n- https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b10984f4145701edb\n- https://github.com/eclipse/jetty.project/commit/9ad6beb80543b392c91653f6bfce233fc75b9d5f\n\nThese will be included in releases: 9.4.33, 10.0.0.beta3, 11.0.0.beta3\n\n### Workarounds\n\nA work around is to set a temporary directory, either for the server or the context, to a directory outside of the shared temporary file system.\nFor recent releases, a temporary directory can be created simple by creating a directory called `work` in the ${jetty.base} directory (the parent directory of the `webapps` directory).\nAlternately the java temporary directory can be set with the System Property `java.io.tmpdir`.    A more detailed description of how jetty selects a temporary directory is below.\n\nThe Jetty search order for finding a temporary directory is as follows:\n\n1. If the [`WebAppContext` has a temp directory specified](https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/webapp/WebAppContext.html#setTempDirectory(java.io.File)), use it.\n2. If the `ServletContext` has the `javax.servlet.context.tempdir` attribute set, and if directory exists, use it.\n3. If a `${jetty.base}/work` directory exists, use it (since Jetty 9.1)\n4. If a `ServletContext` has the `org.eclipse.jetty.webapp.basetempdir` attribute set, and if the directory exists, use it.\n5. Use `System.getProperty(\"java.io.tmpdir\")` and use it.\n\nJetty will end traversal at the first successful step.\nTo mitigate this vulnerability the directory must be set to one that is not writable by an attacker.  To avoid information leakage, the directory should also not be readable by an attacker.\n\n#### Setting a Jetty server temporary directory.\n\nChoices 3 and 5 apply to the server level, and will impact all deployed webapps on the server.\n\nFor choice 3  just create that work directory underneath your `${jetty.base}` and restart Jetty.\n\nFor choice 5, just specify your own `java.io.tmpdir` when you start the JVM for Jetty.\n\n``` shell\n[jetty-distribution]$ java -Djava.io.tmpdir=/var/web/work -jar start.jar\n```\n\n#### Setting a Context specific temporary directory.\n\nThe rest of the choices require you to configure the context for that deployed webapp (seen as `${jetty.base}/webapps/\u003ccontext\u003e.xml`)\n\nExample (excluding the DTD which is version specific):\n\n``` xml\n\u003cConfigure class=\"org.eclipse.jetty.webapp.WebAppContext\"\u003e\n  \u003cSet name=\"contextPath\"\u003e\u003cProperty name=\"foo\"/\u003e\u003c/Set\u003e\n  \u003cSet name=\"war\"\u003e/var/web/webapps/foo.war\u003c/Set\u003e\n  \u003cSet name=\"tempDirectory\"\u003e/var/web/work/foo\u003c/Set\u003e\n\u003c/Configure\u003e\n```\n\n### References\n \n - https://github.com/eclipse/jetty.project/issues/5451\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n - [CodeQL Query PR To Detect Similar Vulnerabilities](https://github.com/github/codeql/pull/4473)\n\n### Similar Vulnerabilities\n\nSimilar, but not the same.\n\n - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\n - Google Guava - https://github.com/google/guava/issues/4011\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\n\n### For more information\n\nThe original report of this vulnerability is below:\n\n\u003e On Thu, 15 Oct 2020 at 21:14, Jonathan Leitschuh \u003cjonathan.leitschuh@gmail.com\u003e wrote:\n\u003e Hi WebTide Security Team,\n\u003e\n\u003e I\u0027m a security researcher writing some custom CodeQL queries to find Local Temporary Directory Hijacking Vulnerabilities. One of my queries flagged an issue in Jetty.\n\u003e\n\u003e https://lgtm.com/query/5615014766184643449/\n\u003e\n\u003e I\u0027ve recently been looking into security vulnerabilities involving the temporary directory because on unix-like systems, the system temporary directory is shared between all users.\n\u003e There exists a race condition between the deletion of the temporary file and the creation of the directory.\n\u003e\n\u003e ```java\n\u003e // ensure file will always be unique by appending random digits\n\u003e tmpDir = File.createTempFile(temp, \".dir\", parent); // Attacker knows the full path of the file that will be generated\n\u003e // delete the file that was created\n\u003e tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty.\n\u003e // and make a directory of the same name\n\u003e // SECURITY VULNERABILITY: Race Condition! - Attacker beats Jetty and now owns this directory\n\u003e tmpDir.mkdirs();\n\u003e ```\n\u003e\n\u003e https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L511-L518\n\u003e\n\u003e In several cases the `parent` parameter will not be the system temporary directory. However, there is one case where it will be, as the last fallback.\n\u003e\n\u003e\n\u003e https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L467-L468\n\u003e\n\u003e If any code is ever executed out of this temporary directory, this can lead to a local privilege\u00a0escalation vulnerability.\n\u003e\n\u003e Would your team be willing to open a GitHub security advisory to continue the discussion and disclosure there?\u00a0https://github.com/eclipse/jetty.project/security/advisories\n\u003e\n\u003e **This vulnerability disclosure follows Google\u0027s [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I\u0027m not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.**\n\u003e\n\u003e Cheers,\n\u003e Jonathan Leitschuh\n\n\n",
  "id": "GHSA-g3wg-6mcf-8jj6",
  "modified": "2023-11-27T23:07:50Z",
  "published": "2020-11-04T17:50:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27216"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/jetty.project/issues/5451"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/codeql/pull/4473"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/raa9c370ab42d737e93bc1795bb6a2187d7c60210cd5e3b3ce8f3c484@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rad255c736fad46135f1339408cb0147d0671e45c376c3be85ceeec1a@%3Cnotifications.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rae15d73cabef55bad148e4e6449b05da95646a2a8db3fc938e858dff@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/raf9c581b793c30ff8f55f2415c7bd337eb69775aae607bf9ed1b16fb@%3Cdev.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rafb023a7c61180a1027819678eb2068b0b60cd5c2559cb8490e26c81@%3Cissues.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb077d35f2940191daeefca0d6449cddb2e9d06bcf8f5af4da2df3ca2@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb5f2558ea2ac63633dfb04db1e8a6ea6bb1a2b8614899095e16c6233@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb69b1d7008a4b3de5ce5867e41a455693907026bc70ead06867aa323@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb7e159636b26156f6ef2b2a1a79b3ec9a026923b5456713e68f7c18e@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb81a018f83fe02c95a2138a7bb4f1e1677bd7e1fc1e7024280c2292d@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb8ad3745cb94c60d44cc369aff436eaf03dbc93112cefc86a2ed53ba@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb8c007f87dc57731a7b9a3b05364530422535b7e0bc6a0c5b68d4d55@%3Cdev.felix.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rbc5a622401924fadab61e07393235838918228b3d8a1a6704295b032@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rbc5a8d7a0a13bc8152d427a7e9097cdeb139c6cfe111b2f00f26d16b@%3Cissues.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rbf99e4495461099cad9aa62e0164f8f25a7f97b791b4ace56e375f8d@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc1646894341450fdc4f7e96a88f5e2cf18d8004714f98aec6b831b3e@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc1d9b8e9d17749d4d2b9abaaa72c422d090315bd6bc0ae73a16abc1c@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/re08b03cd1754b32f342664eead415af48092c630c8e3e0deba862a26@%3Ccommits.shiro.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1d45051310b11c6d6476f20d71b08ea97cb76846cbf61d196bac1c3f@%3Cdev.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r8cacf91ae1b17cc6531d20953c52fa52f6fd3191deb3383446086ab7@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r8dd01541fc49d24ec223365a9974231cbd7378b749247a89b0a52210@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r8fead0144bb84d8714695c43607dca9c5101aa028a431ec695882fe5@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r90b5ac6e2bf190a5297bda58c7ec76d01cd86ff050b2470fcd9f4b35@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r911c1879258ebf98bca172c0673350eb7ea6569ca1735888d4cb7adc@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r916b6542bd5b15a8a7ff8fc14a0e0331e8e3e9d682f22768ae71d775@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r93b240be16e642579ed794325bae31b040e1af896ecc12466642e19d@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r93d5e81e879120d8d87925dbdd4045cb3afa9b066f4370f60b626ce3@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r9b790fe3a93121199f41258474222f15002b2f729495aa7ecbf90718@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r9c010b79140452294292379183e7fe8e3533c5bb4db3f3fb39a6df61@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r9cc76b98f87738791b8ec3736755f92444d3c8cb26bd4e4ffdb5c1cc@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r9cd444f944241dc26d9b8b007fe8971ed7f005b56befef7a4f4fb827@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r9d9b4b93df7f92cdf1147db0fc169be1776c93d1fbc63bc65721fffd@%3Cdev.knox.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r9f8c45a2a4540911cd8bd0485f67e8091883c9234d7a3aeb349c46c1@%3Creviews.iotdb.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra1f19625cc67ac1b459c558f2ea5647d71ce51c6fe4f4cb03baec849@%3Cnotifications.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra55e04d5a73afcb8383f4386e2b26832c6e3972e53827021ab885943@%3Ccommits.shiro.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra5b7313d8cc9411db6790adfba33f2cf0665cb77adb7b02043c95867@%3Cdev.felix.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/re5706141ca397587f7ee0f500a39ccc590a41f802fc125fc135cb92f@%3Cnotifications.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ree506849c4f04376793b1a3076bc017da60b8a2ef2702dc214ff826f@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/refbbb0eb65c185d1fa491cee08ac8ed32708ce3b269133a6da264317@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf00ea6376f3d0e8b8f62cf6d4a4f28b24e27193acd2c851f618aa41e@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf3bc023a7cc729aeac72f482e2eeeab9008aa6b1dadbeb3f45320cae@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfd9f102864a039f7fda64a580dfe1a342d65d7b723ca06dc9fbceb31@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfe5caef1fd6cf4b8ceac1b63c33195f2908517b665c946c020d3fbd6@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfe6ba83d14545e982400dea89e68b10113cb5202a3dcb558ce64842d@%3Cissues.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rff0ad6a7dac2182421e2db2407e44fbb61a89904adfd91538f21fbf8@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20201123-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4949"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc2e24756d28580eeac811c5c6a12012c9f424b6e5bffb89f98ee3d03@%3Cdev.felix.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc44d1147f78496ec9932a38b28795ff4fd0c4fa6e3b6f5cc33c14d29@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc4b972ea10c5a65c6a88a6e233778718ab9af7f484affdd5e5de0cff@%3Ccommits.felix.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc77918636d8744d50312e4f67ba2e01f47db3ec5144540df8745cb38@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc8dd95802be0cca8d7d0929c0c8484ede384ecb966b2a9dc7197b089@%3Creviews.iotdb.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc9d2ab8a6c7835182f20b01104798e67c75db655c869733a0713a590@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rccedec4cfd5df6761255b71349e3b7c27ee0745bd33698a71b1775cf@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rcdcf32952397c83a1d617a8c9cd5c15c98b8d0d38a607972956bde7e@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rcdd56ab4255801a0964dcce3285e87f2c6994e6469e189f6836f34e3@%3Cnotifications.iotdb.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rcfb95a7c69c4b9c082ea1918e812dfc45aa0d1e120fd47f68251a336@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rcff5caebfd535195276aaabc1b631fd55a4ff6b14e2bdfe33f18ff91@%3Creviews.iotdb.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd58b60ab2e49ebf21022e59e280feb25899ff785c88f31fe314aa5b9@%3Ccommits.shiro.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd7e62e2972a41c2658f41a824b8bdd15644d80fcadc51fe7b7c855de@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rdbf1cd0ab330c032f3a09b453cb6405dccc905ad53765323bddab957@%3Cissues.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rdddb4b06e86fd58a1beda132f22192af2f9b56aae8849cb3767ccd55@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rde11c433675143d8d27551c3d9e821fe1955f1551a518033d3716553@%3Cdev.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rde782fd8e133f7e04e50c8aaa4774df524367764eb5b85bf60d96747@%3Cnotifications.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1dbb87c9255ecefadd8de514fa1d35c1d493c0527d7672cf40505d04@%3Ccommits.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1ed79516bd6d248ea9f0e704dbfd7de740d5a75b71c7be8699fec824@%3Cnotifications.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1ef28b89ff0281c87ba3a7659058789bf28a99b8074191f1c3678db8@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1fe31643fc34b4a33ae3d416d92c271aa97663f1782767d25e1d9ff8@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2122537d3f9beb0ce59f44371a951b226406719919656ed000984bd0@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r279254a1bd6434c943da52000476f307e62b6910755387aeca1ec9a1@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2aa316d008dab9ae48350b330d15dc1b863ea2a933558fbfc42b91a6@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2d17b2a4803096ba427f3575599ea29b55f5cf9dbc1f12ba044cae1a@%3Cnotifications.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2e02700f7cfecb213de50be83e066086bea90278cd753db7fdc2ccff@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2f732ee49d00610683ab5ddb4692ab25136b00bfd132ca3a590218a9@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3042a9dd2973aa229e52d022df7813e4d74b67df73bfa6d97bb0caf8@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r336b1694a01858111e4625fb9ab2b07ad43a64a525cf6402e06aa6bf@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r351298dd39fc1ab63303be94b0c0d08acd72b17448e0346d7386189b@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r382870d6ccfd60533eb0d980688261723ed8a0704dafa691c4e9aa68@%3Ccommits.iotdb.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3a763de620be72b6d74f46ec4bf39c9f35f8a0b39993212c0ac778ec@%3Ccommits.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3b0ce1549a1ccdd7e51ec66daf8d54d46f1571edbda88ed09c96d7da@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921"
    },
    {
      "type": "WEB",
      "url": "https://cwe.mitre.org/data/definitions/378.html"
    },
    {
      "type": "WEB",
      "url": "https://cwe.mitre.org/data/definitions/379.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eclipse/jetty.project"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r0259b14ae69b87821e27fed1f5333ea86018294fd31aab16b1fac84e@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r07525dc424ed69b3919618599e762f9ac03791490ca9d724f2241442@%3Cdev.felix.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r09b345099b4f88d2bed7f195a96145849243fb4e53661aa3bcf4c176@%3Cissues.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r0d7ad4f02c44d5d53a9ffcbca7ff4a8138241322da9c5c35b5429630@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r0d95e01f52667f44835c40f6dea72bb4397f33cd70a564ea74f3836d@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r0df8fe10fc36028cf6d0381ab66510917d0d68bc5ef7042001d03830@%3Cdev.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r0e9efe032cc65433251ee6470c66c334d4e7db9101e24cf91a3961f2@%3Ccommits.directory.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r0f5e9b93133ef3aaf31484bc3e15cc4b85f8af0fe4de2dacd9379d72@%3Cdev.felix.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r100c5c7586a23a19fdb54d8a32e17cd0944bdaa46277b35c397056f6@%3Cnotifications.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r171846414347ec5fed38241a9f8a009bd2c89d902154c6102b1fb39a@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r185d10aae8161c08726f3ba9a1f1c47dfb97624ea6212fa217173204@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r18b6f10d9939419bae9c225d5058c97533cb376c9d6d0a0733ddd48d@%3Cnotifications.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r19e8b338af511641d211ff45c43646fe1ae19dc9897d69939c09cabe@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1d40368a309f9d835dcdd900249966e4fcbdf98c1cc4c84db2cd9964@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r6b83ca85c8f9a6794b1f85bc70d1385ed7bc1ad07750d0977537154a@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r6dfa64ecc3d67c1a71c08bfa04064549179d499f8e20a8285c57bd51@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r6f51a654ac2e67e3d1c65a8957cbbb127c3f15b64b4fcd626df03633@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r70f8bcccd304bd66c1aca657dbfc2bf11f73add9032571b01f1f733d@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r71da5f51ef04cb95abae560425dce9667740cbd567920f516f76efb7@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r73b5a9b677b707bbb7c1469ea746312c47838b312603bada9e382bba@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r761a52f1e214efec286ee80045d0012e955eebaa72395ad62cccbcfc@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r769411eb43dd9ef77665700deb7fc491fc3ceb532914260c90b56f2f@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r77dd041d8025a869156481d2268c67ad17121f64e31f9b4a1a220145@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r7bdc83513c12db1827b79b8d57a7a0975a25d28bc6c5efe590ec1e02@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r7da5ae60d7973e8894cfe92f49ecb5b47417eefab4c77cc87514d3cf@%3Cdev.felix.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r8045eedd6bb74efcd8e01130796adbab98ee4a0d1273509fb1f2077a@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r819857361f5a156e90d6d06ccf6c41026bc99030d60d0804be3a9957@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r827d17bf6900eddc686f4b6ee16fc5e52ca0070f8df7612222c40ac5@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r874688141495df766e62be095f1dfb0bf4a24ca0340d8e0215c03fab@%3Cissues.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r87b0c69fef09277333a7e1716926d1f237d462e143a335854ddd922f@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r87d8337300a635d66f0bb838bf635cdfcbba6b92c608a7813adbf4f4@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r8866f0cd2a3b319288b7eea20ac137b9f260c813d10ee2db88b65d32@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3e05ab0922876e74fea975d70af82b98580f4c14ba643c4f8a9e3a94@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3f32cb4965239399c22497a0aabb015b28b2372d4897185a6ef0ccd7@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r407c316f6113dfc76f7bb3cb1693f08274c521064a92e5214197548e@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4179c71908778cc0598ee8ee1eaed9b88fc5483c65373f45e087f650@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r44115ebfbf3b7d294d7a75f2d30bcc822dab186ebbcc2dce11915ca9@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4946ffd86ad6eb7cb7863311235c914cb41232380de8d9dcdb3c115c@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4f29fb24639ebc5d15fc477656ebc2b3aa00fcfbe197000009c26b40@%3Cissues.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r503045a75f4419d083cb63ac89e765d6fb8b10c7dacc0c54fce07cff@%3Creviews.iotdb.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r547bb14c88c5da2588d853ed3030be0109efa537dd797877dff14afd@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r5494fdaf4a0a42a15c49841ba7ae577d466d09239ee1050458da0f29@%3Cjira.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r556787f1ab14da034d79dfff0c123c05877bbe89ef163fd359b4564c@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r568d354961fa88f206dc345411fb11d245c6dc1a8da3e80187fc6706@%3Cdev.zookeeper.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r58f5b14dc5ae43583db3a7e872419aca97ebe47bcd7f7334f4128016@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r59e0878013d329dcc481eeafebdb0ee445b1e2852d0c4827b1ddaff2@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r5a07f274f355c914054c7357ad6d3456ffaca064f26cd780acb90a9a@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r5a9462096c71593e771602beb0e69357adb5175d9a5c18d5181e0ab4@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r6236ae4adc401e3b2f2575c22865f2f6c6ea9ff1d7b264b40d9602af@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r66e99d973fd79ddbcb3fbdb24f4767fe9b911f5b0abb05d7b6f65801@%3Ccommits.zookeeper.apache.org%3E"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Local Temp Directory Hijacking Vulnerability"
}

GHSA-G5M2-22H2-RR3J

Vulnerability from github – Published: 2022-05-14 02:09 – Updated: 2024-09-30 16:48
VLAI
Summary
Creation of Temporary File With Insecure Permissions in logilab-commons
Details

The Execute class in shellutils in logilab-common before 0.61.0 uses tempfile.mktemp, which allows local users to have an unspecified impact by pre-creating the temporary file.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "logilab-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.61.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-1839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-378"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-07T22:48:13Z",
    "nvd_published_at": "2014-03-11T19:37:00Z",
    "severity": "MODERATE"
  },
  "details": "The Execute class in shellutils in logilab-common before 0.61.0 uses tempfile.mktemp, which allows local users to have an unspecified impact by pre-creating the temporary file.",
  "id": "GHSA-g5m2-22h2-rr3j",
  "modified": "2024-09-30T16:48:42Z",
  "published": "2022-05-14T02:09:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1839"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737051"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-g5m2-22h2-rr3j"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/logilab-common/PYSEC-2014-84.yaml"
    },
    {
      "type": "WEB",
      "url": "http://comments.gmane.org/gmane.comp.security.oss.general/11986"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-02/msg00085.html"
    },
    {
      "type": "WEB",
      "url": "http://www.logilab.org/ticket/207562"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Creation of Temporary File With Insecure Permissions in logilab-commons"
}

GHSA-GFC5-FM98-FG6J

Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01
VLAI
Details

Multiple vulnerabilities in the install, uninstall, and upgrade processes of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to hijack DLL or executable files that are used by the application. A successful exploit could allow the attacker to execute arbitrary code on an affected device with SYSTEM privileges. To exploit these vulnerabilities, the attacker must have valid credentials on the Windows system. For more information about these vulnerabilities, see the Details section of this advisory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1496"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-378",
      "CWE-427"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-06T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple vulnerabilities in the install, uninstall, and upgrade processes of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to hijack DLL or executable files that are used by the application. A successful exploit could allow the attacker to execute arbitrary code on an affected device with SYSTEM privileges. To exploit these vulnerabilities, the attacker must have valid credentials on the Windows system. For more information about these vulnerabilities, see the Details section of this advisory.",
  "id": "GHSA-gfc5-fm98-fg6j",
  "modified": "2022-05-24T19:01:36Z",
  "published": "2022-05-24T19:01:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1496"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-code-exec-jR3tWTA6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Requirements

Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible.

Mitigation
Implementation

Ensure that you use proper file permissions. This can be achieved by using a safe temp file function. Temporary files should be writable and readable only by the process that owns the file.

Mitigation
Implementation

Randomize temporary file names. This can also be achieved by using a safe temp-file function. This will ensure that temporary files will not be created in predictable places.

No CAPEC attack patterns related to this CWE.