Common Weakness Enumeration

CWE-379

Allowed

Creation of Temporary File in Directory with Insecure Permissions

Abstraction: Base · Status: Incomplete

The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

112 vulnerabilities reference this CWE, most recent first.

CVE-2026-54328 (GCVE-0-2026-54328)

Vulnerability from cvelistv5 – Published: 2026-06-23 19:25 – Updated: 2026-06-24 13:38
VLAI
Title
Pi: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts
Summary
Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary directory could prepare the expected package location before another user runs pi with a temporary extension package source. Pi could then load attacker-controlled extension code in the victim user's process. This vulnerability is fixed in 0.78.1.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-379 - Creation of Temporary File in Directory with Insecure Permissions
Assigner
Impacted products
Vendor Product Version
earendil-works pi Affected: >= 0.74.0, < 0.78.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54328",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T13:37:52.524343Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T13:38:04.242Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pi",
          "vendor": "earendil-works",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.74.0, \u003c 0.78.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary directory could prepare the expected package location before another user runs pi with a temporary extension package source. Pi could then load attacker-controlled extension code in the victim user\u0027s process.  This vulnerability is fixed in 0.78.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-379",
              "description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T19:25:04.051Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/earendil-works/pi/security/advisories/GHSA-jfgx-wxx8-mp94",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/earendil-works/pi/security/advisories/GHSA-jfgx-wxx8-mp94"
        },
        {
          "name": "https://github.com/earendil-works/pi/pull/5345",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/earendil-works/pi/pull/5345"
        },
        {
          "name": "https://github.com/earendil-works/pi/commit/a98e087e5d08ea2a536bf73dbb0aebb87c3ef72e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/earendil-works/pi/commit/a98e087e5d08ea2a536bf73dbb0aebb87c3ef72e"
        },
        {
          "name": "https://github.com/earendil-works/pi/commit/ea3465a8e371a12d0167a06b60f93878e3a3df44",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/earendil-works/pi/commit/ea3465a8e371a12d0167a06b60f93878e3a3df44"
        },
        {
          "name": "https://github.com/earendil-works/pi/releases/tag/v0.78.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/earendil-works/pi/releases/tag/v0.78.1"
        }
      ],
      "source": {
        "advisory": "GHSA-jfgx-wxx8-mp94",
        "discovery": "UNKNOWN"
      },
      "title": "Pi: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54328",
    "datePublished": "2026-06-23T19:25:04.051Z",
    "dateReserved": "2026-06-12T18:42:02.224Z",
    "dateUpdated": "2026-06-24T13:38:04.242Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46388 (GCVE-0-2026-46388)

Vulnerability from cvelistv5 – Published: 2026-07-10 14:44 – Updated: 2026-07-10 19:03
VLAI
Title
osquery: Unprivileged users can temporarily read file carve contents
Summary
osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery file carve until the carve completes and the temporary files are deleted because in-progress carve directories are not created with private permissions. If the carve targets a directory that the attacker controls, arbitrary file reads are possible, such as sensitive local files. This issue is fixed in version 5.23.1.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-279 - Incorrect Execution-Assigned Permissions
  • CWE-378 - Creation of Temporary File With Insecure Permissions
  • CWE-379 - Creation of Temporary File in Directory with Insecure Permissions
Assigner
Impacted products
Vendor Product Version
osquery osquery Affected: < 5.23.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-46388",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-10T19:03:00.746306Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-10T19:03:08.593Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "osquery",
          "vendor": "osquery",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.23.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery file carve until the carve completes and the temporary files are deleted because in-progress carve directories are not created with private permissions. If the carve targets a directory that the attacker controls, arbitrary file reads are possible, such as sensitive local files. This issue is fixed in version 5.23.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-279",
              "description": "CWE-279: Incorrect Execution-Assigned Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-378",
              "description": "CWE-378: Creation of Temporary File With Insecure Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-379",
              "description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T14:44:52.865Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/osquery/osquery/security/advisories/GHSA-fg78-9q98-62hh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/osquery/osquery/security/advisories/GHSA-fg78-9q98-62hh"
        },
        {
          "name": "https://github.com/osquery/osquery/pull/8961",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/osquery/osquery/pull/8961"
        },
        {
          "name": "https://github.com/osquery/osquery/commit/6dabe9ded33bf9c6fc0f3e37ec364a1cbbd25d68",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/osquery/osquery/commit/6dabe9ded33bf9c6fc0f3e37ec364a1cbbd25d68"
        },
        {
          "name": "https://github.com/osquery/osquery/releases/tag/5.23.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/osquery/osquery/releases/tag/5.23.1"
        }
      ],
      "source": {
        "advisory": "GHSA-fg78-9q98-62hh",
        "discovery": "UNKNOWN"
      },
      "title": "osquery: Unprivileged users can temporarily read file carve contents"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-46388",
    "datePublished": "2026-07-10T14:44:52.865Z",
    "dateReserved": "2026-05-13T19:53:47.922Z",
    "dateUpdated": "2026-07-10T19:03:08.593Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42191 (GCVE-0-2026-42191)

Vulnerability from cvelistv5 – Published: 2026-05-12 19:12 – Updated: 2026-05-13 14:16
VLAI
Title
OpenTelemetry.Exporter.OpenTelemetryProtocol: Disk retry default temp path enables local blob injection for OTLP Exporter
Summary
OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP (OpenTelemetry Protocol) exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set but OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH was not configured. The exporter stored and loaded *.blob files under fixed, signal-named subdirectories (traces, metrics, logs) beneath that shared temporary root path. On multi-user systems where the temporary directory is accessible to other local accounts, this allows an attacker to write crafted *.blob files, read *.blob files written by the application between export failures, or deposit numerous or oversized blob files, degrading retry-loop performance or consuming disk space. This vulnerability is fixed in 1.15.3.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-379 - Creation of Temporary File in Directory with Insecure Permissions
Assigner
References
Impacted products
Vendor Product Version
open-telemetry opentelemetry-dotnet Affected: >= 1.8.0, < 1.15.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42191",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T14:16:04.904029Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T14:16:18.810Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opentelemetry-dotnet",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.8.0, \u003c 1.15.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP (OpenTelemetry Protocol) exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set but OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH was not configured. The exporter stored and loaded *.blob files under fixed, signal-named subdirectories (traces, metrics, logs) beneath that shared temporary root path. On multi-user systems where the temporary directory is accessible to other local accounts, this allows an attacker to write crafted *.blob files, read *.blob files written by the application between export failures, or deposit numerous or oversized blob files, degrading retry-loop performance or consuming disk space. This vulnerability is fixed in 1.15.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-379",
              "description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T19:12:03.221Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-4625-4j76-fww9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-4625-4j76-fww9"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7106",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7106"
        }
      ],
      "source": {
        "advisory": "GHSA-4625-4j76-fww9",
        "discovery": "UNKNOWN"
      },
      "title": "OpenTelemetry.Exporter.OpenTelemetryProtocol: Disk retry default temp path enables local blob injection for OTLP Exporter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42191",
    "datePublished": "2026-05-12T19:12:03.221Z",
    "dateReserved": "2026-04-25T01:53:21.583Z",
    "dateUpdated": "2026-05-13T14:16:18.810Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-7539 (GCVE-0-2026-7539)

Vulnerability from cvelistv5 – Published: 2026-06-24 19:47 – Updated: 2026-06-26 03:55
VLAI
Title
HP Dock Accessory WMI Provider Installer Security Update
Summary
A potential security vulnerability has been identified in the HP Accessory WMI Provider installer for some HP Docking Stations, which might allow escalation of privilege and/or arbitrary code execution. HP is releasing software updates to mitigate the potential vulnerability.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-379 - Creation of temporary file in directory with insecure permissions
Assigner
hp
Impacted products
Vendor Product Version
HP Inc. HP Dock Accessory Affected: 0 , < <1.4.11.0 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-7539",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T03:55:52.786Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "HP Dock Accessory",
          "vendor": "HP Inc.",
          "versions": [
            {
              "lessThan": "\u003c1.4.11.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A potential security vulnerability has been identified in the HP Accessory WMI Provider installer for some HP Docking Stations, which might allow escalation of privilege and/or arbitrary code execution. HP is releasing software updates to mitigate the potential vulnerability."
            }
          ],
          "value": "A potential security vulnerability has been identified in the HP Accessory WMI Provider installer for some HP Docking Stations, which might allow escalation of privilege and/or arbitrary code execution. HP is releasing software updates to mitigate the potential vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-379",
              "description": "CWE-379 Creation of temporary file in directory with insecure permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T19:47:15.371Z",
        "orgId": "74586083-13ce-40fd-b46a-8e5d23cfbcb2",
        "shortName": "hp"
      },
      "references": [
        {
          "url": "https://support.hp.com/us-en/document/ish_15190804-15190818-16/hpsbhf04129"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "HP Dock Accessory WMI Provider Installer Security Update",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "74586083-13ce-40fd-b46a-8e5d23cfbcb2",
    "assignerShortName": "hp",
    "cveId": "CVE-2026-7539",
    "datePublished": "2026-06-24T19:47:15.371Z",
    "dateReserved": "2026-04-30T18:32:09.603Z",
    "dateUpdated": "2026-06-26T03:55:52.786Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2817 (GCVE-0-2026-2817)

Vulnerability from cvelistv5 – Published: 2026-02-19 17:18 – Updated: 2026-02-20 20:31 Unsupported When Assigned X_Open Source
VLAI
Title
Spring Data Geode Insecure Temporary Directory Usage
Summary
Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of cache data.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
  • CWE-378 - Creation of Temporary File With Insecure Permissions
  • CWE-379 - Creation of Temporary File in Directory with Insecure Permissions
Assigner
Impacted products
Vendor Product Version
VMware Spring Data Geode Affected: 2.0.0.RELEASE , ≤ 2.7.18 (maven)
Create a notification for this product.
VMware Spring Data Gemfire Affected: 1.7.0.RELEASE , ≤ 2.2.13.RELEASE (maven)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2817",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-20T20:31:34.178282Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-20T20:31:49.664Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "org.springframework.data:spring-data-geode",
          "product": "Spring Data Geode",
          "repo": "https://github.com/spring-attic/spring-data-geode",
          "vendor": "VMware",
          "versions": [
            {
              "lessThanOrEqual": "2.7.18",
              "status": "affected",
              "version": "2.0.0.RELEASE",
              "versionType": "maven"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "packageName": "org.springframework.data:spring-data-gemfire",
          "product": "Spring Data Gemfire",
          "repo": "https://github.com/spring-attic/spring-data-gemfire",
          "vendor": "VMware",
          "versions": [
            {
              "lessThanOrEqual": "2.2.13.RELEASE",
              "status": "affected",
              "version": "1.7.0.RELEASE",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user\u2019s extracted snapshot\u0026nbsp;contents, leading to unintended exposure of cache data."
            }
          ],
          "value": "Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user\u2019s extracted snapshot\u00a0contents, leading to unintended exposure of cache data."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-149",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-149 Explore for Predictable Temporary File Names"
            }
          ]
        },
        {
          "capecId": "CAPEC-155",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-155 Screen Temporary Files for Sensitive Information"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-538",
              "description": "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-378",
              "description": "CWE-378: Creation of Temporary File With Insecure Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-379",
              "description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-19T17:18:09.839Z",
        "orgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
        "shortName": "HeroDevs"
      },
      "references": [
        {
          "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-2817"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "unsupported-when-assigned",
        "x_open-source"
      ],
      "title": "Spring Data Geode Insecure Temporary Directory Usage",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36c7be3b-2937-45df-85ea-ca7133ea542c",
    "assignerShortName": "HeroDevs",
    "cveId": "CVE-2026-2817",
    "datePublished": "2026-02-19T17:18:09.839Z",
    "dateReserved": "2026-02-19T17:07:39.475Z",
    "dateUpdated": "2026-02-20T20:31:49.664Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-71176 (GCVE-0-2025-71176)

Vulnerability from cvelistv5 – Published: 2026-01-22 04:59 – Updated: 2026-01-22 12:26
VLAI
Summary
pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-379 - Creation of Temporary File in Directory with Insecure Permissions
Assigner
Impacted products
Vendor Product Version
pytest pytest Affected: 0 , ≤ 9.0.2 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-71176",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-22T12:26:25.446376Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-22T12:26:39.653Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "packageURL": "pkg:pypi/pytest",
          "product": "pytest",
          "vendor": "pytest",
          "versions": [
            {
              "lessThanOrEqual": "9.0.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-379",
              "description": "CWE-379 Creation of Temporary File in Directory with Insecure Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-22T06:50:44.054Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/pytest-dev/pytest/issues/13669"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2026/01/21/5"
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-71176",
    "datePublished": "2026-01-22T04:59:17.273Z",
    "dateReserved": "2026-01-22T04:59:16.985Z",
    "dateUpdated": "2026-01-22T12:26:39.653Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-64896 (GCVE-0-2025-64896)

Vulnerability from cvelistv5 – Published: 2025-12-09 20:39 – Updated: 2025-12-09 20:56
VLAI
Title
Creative Cloud Desktop | Creation of Temporary File in Directory with Incorrect Permissions (CWE-379)
Summary
Creative Cloud Desktop versions 6.4.0.361 and earlier are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to disrupt the application's functionality by manipulating temporary files. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-379 - Creation of Temporary File in Directory with Incorrect Permissions (CWE-379)
Assigner
References
Impacted products
Vendor Product Version
Adobe Creative Cloud Desktop Affected: 0 , ≤ 6.4.0.361 (semver)
Create a notification for this product.
Date Public
2025-12-09 17:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64896",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-09T20:56:37.238237Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-09T20:56:43.309Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Creative Cloud Desktop",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "6.4.0.361",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-12-09T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Creative Cloud Desktop versions 6.4.0.361 and earlier are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to disrupt the application\u0027s functionality by manipulating temporary files. Exploitation of this issue requires user interaction in that a victim must open a malicious file."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 5.5,
            "environmentalSeverity": "MEDIUM",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "NONE",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "LOCAL",
            "modifiedAvailabilityImpact": "HIGH",
            "modifiedConfidentialityImpact": "NONE",
            "modifiedIntegrityImpact": "NONE",
            "modifiedPrivilegesRequired": "NONE",
            "modifiedScope": "UNCHANGED",
            "modifiedUserInteraction": "REQUIRED",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 5.5,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-379",
              "description": "Creation of Temporary File in Directory with Incorrect Permissions (CWE-379)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T20:39:50.648Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/creative-cloud/apsb25-120.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Creative Cloud Desktop | Creation of Temporary File in Directory with Incorrect Permissions (CWE-379)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-64896",
    "datePublished": "2025-12-09T20:39:50.648Z",
    "dateReserved": "2025-11-11T22:48:38.847Z",
    "dateUpdated": "2025-12-09T20:56:43.309Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-33111 (GCVE-0-2025-33111)

Vulnerability from cvelistv5 – Published: 2025-12-08 21:28 – Updated: 2025-12-09 16:05
VLAI
Title
IBM Controller Information Disclosure
Summary
IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may expose sensitive information to an authenticated user due to race condition attacks.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-379 - Creation of Temporary File in Directory with Insecure Permissions
Assigner
ibm
References
URL Tags
https://www.ibm.com/support/pages/node/7253273 vendor-advisorypatch
Impacted products
Vendor Product Version
IBM Controller Affected: 11.1.0 , ≤ 11.1.1 (semver)
    cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:controller:11.1.1:*:*:*:*:*:*:*
Create a notification for this product.
IBM Cognos Controller Affected: 11.0.0 , ≤ 11.0.1 FP6 (semver)
    cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:cognos_controller:11.0.1:FP6:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-33111",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-09T15:25:17.501554Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-09T16:05:55.300Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:controller:11.1.1:*:*:*:*:*:*:*"
          ],
          "product": "Controller",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "11.1.1",
              "status": "affected",
              "version": "11.1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "cpes": [
            "cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:cognos_controller:11.0.1:FP6:*:*:*:*:*:*"
          ],
          "product": "Cognos Controller",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "11.0.1 FP6",
              "status": "affected",
              "version": "11.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may expose sensitive information to an authenticated user due to race condition attacks.\u003c/p\u003e"
            }
          ],
          "value": "IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may expose sensitive information to an authenticated user due to race condition attacks."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-379",
              "description": "CWE-379 Creation of Temporary File in Directory with Insecure Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T21:28:37.212Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7253273"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eRemediation/Fixes It is strongly recommended that you apply the most recent security updates: Affected Product(s) Version(s) Fix IBM Controller 11.1.0 - 11.1.1 Download IBM Controller 11.1.2 from Passport Advantage IBM Cognos Controller 11.0.0 - 11.0.1 FP6 Download IBM Cognos Controller 11.0.1 FP7 from Fix Central IBM Controller 11.1.2 and IBM Cognos Controller 11.0.1 FP7 are available for Cloud deployments.\u003c/p\u003e"
            }
          ],
          "value": "Remediation/Fixes It is strongly recommended that you apply the most recent security updates: Affected Product(s) Version(s) Fix IBM Controller 11.1.0 - 11.1.1 Download IBM Controller 11.1.2 from Passport Advantage IBM Cognos Controller 11.0.0 - 11.0.1 FP6 Download IBM Cognos Controller 11.0.1 FP7 from Fix Central IBM Controller 11.1.2 and IBM Cognos Controller 11.0.1 FP7 are available for Cloud deployments."
        }
      ],
      "title": "IBM Controller Information Disclosure",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-33111",
    "datePublished": "2025-12-08T21:28:37.212Z",
    "dateReserved": "2025-04-15T17:50:49.744Z",
    "dateUpdated": "2025-12-09T16:05:55.300Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-32802 (GCVE-0-2025-32802)

Vulnerability from cvelistv5 – Published: 2025-05-28 17:08 – Updated: 2025-05-28 17:23
VLAI
Title
Insecure handling of file paths allows multiple local attacks
Summary
Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-73 - External Control of File Name or Path
  • CWE-379 - Creation of Temporary File in Directory with Insecure Permissions
Assigner
isc
References
URL Tags
https://kb.isc.org/docs/cve-2025-32802 vendor-advisory
Impacted products
Vendor Product Version
ISC Kea Affected: 2.4.0 , ≤ 2.4.1 (custom)
Affected: 2.6.0 , ≤ 2.6.2 (custom)
Affected: 2.7.0 , ≤ 2.7.8 (custom)
Create a notification for this product.
Date Public
2025-05-28 00:00
Credits
ISC would like to thank Matthias Gerstner from the SUSE security team for bringing this vulnerability to our attention.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32802",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-28T17:23:10.150529Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-28T17:23:22.213Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Kea",
          "vendor": "ISC",
          "versions": [
            {
              "lessThanOrEqual": "2.4.1",
              "status": "affected",
              "version": "2.4.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.6.2",
              "status": "affected",
              "version": "2.6.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.7.8",
              "status": "affected",
              "version": "2.7.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Matthias Gerstner from the SUSE security team for bringing this vulnerability to our attention."
        }
      ],
      "datePublic": "2025-05-28T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea.  Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths.\nThis issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "We are not aware of any active exploits."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "If an attacker has access to a local unprivileged user account, and the Kea API entry points are not secured, the attacker can use the API to arbitrarily modify Kea\u0027s configuration or to overwrite any file Kea has write access to.  If Kea is running as root, the attacker could overwrite any local file.  This can lead to local privilege escalation and/or system-wide denial of service.  If control sockets are placed in an insecure location, any local user may be able to impersonate a Kea service or prevent the real Kea service from starting."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73 External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-379",
              "description": "CWE-379 Creation of Temporary File in Directory with Insecure Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-28T17:08:11.180Z",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "name": "CVE-2025-32802",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kb.isc.org/docs/cve-2025-32802"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of Kea: 2.4.2, 2.6.3, or 2.7.9."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Insecure handling of file paths allows multiple local attacks",
      "workarounds": [
        {
          "lang": "en",
          "value": "Two mitigation approaches are possible: (1) Disable the API entirely, by (1a) disabling the `kea-ctrl-agent`, and (1b) removing any `\"control-socket\"` stanzas from the Kea configuration files; or (2) Secure access to the API by (2a) requiring authentication (a password or client certificate) for the `kea-ctrl-agent`, and (2b) configuring all `\"control-socket\"` stanzas to use a directory restricted to only trusted users."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2025-32802",
    "datePublished": "2025-05-28T17:08:11.180Z",
    "dateReserved": "2025-04-10T12:51:45.055Z",
    "dateUpdated": "2025-05-28T17:23:22.213Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-32438 (GCVE-0-2025-32438)

Vulnerability from cvelistv5 – Published: 2025-04-15 19:57 – Updated: 2025-04-15 20:08
VLAI
Title
Local privilege escalation in make-initrd-ng
Summary
make-initrd-ng is a tool for copying binaries and their dependencies. Local privilege escalation affecting all NixOS users. With systemd.shutdownRamfs.enable enabled (the default) a local user is able to create a program that will be executed by root during shutdown. Patches exist for NixOS 24.11 and 25.05 / unstable. As a workaround, set systemd.shutdownRamfs.enable = false;.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-378 - Creation of Temporary File With Insecure Permissions
  • CWE-379 - Creation of Temporary File in Directory with Insecure Permissions
Assigner
Impacted products
Vendor Product Version
NixOS nixpkgs Affected: < b17590193d8e5697000c23c66afcf11e1753734d
Affected: < fbf76bf72b161b9f4ab97704a8258776d5f3ffba
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32438",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-15T20:08:46.640080Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-15T20:08:58.816Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nixpkgs",
          "vendor": "NixOS",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c b17590193d8e5697000c23c66afcf11e1753734d"
            },
            {
              "status": "affected",
              "version": "\u003c fbf76bf72b161b9f4ab97704a8258776d5f3ffba"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "make-initrd-ng is a tool for copying binaries and their dependencies. Local privilege escalation affecting all NixOS users. With systemd.shutdownRamfs.enable enabled (the default) a local user is able to create a program that will be executed by root during shutdown. Patches exist for NixOS 24.11 and 25.05 / unstable. As a workaround, set systemd.shutdownRamfs.enable = false;."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-378",
              "description": "CWE-378: Creation of Temporary File With Insecure Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-379",
              "description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-15T19:57:04.668Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/NixOS/nixpkgs/security/advisories/GHSA-m7pq-h9p4-8rr4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/NixOS/nixpkgs/security/advisories/GHSA-m7pq-h9p4-8rr4"
        },
        {
          "name": "https://github.com/NixOS/nixpkgs/commit/b17590193d8e5697000c23c66afcf11e1753734d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NixOS/nixpkgs/commit/b17590193d8e5697000c23c66afcf11e1753734d"
        },
        {
          "name": "https://github.com/NixOS/nixpkgs/commit/fbf76bf72b161b9f4ab97704a8258776d5f3ffba",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NixOS/nixpkgs/commit/fbf76bf72b161b9f4ab97704a8258776d5f3ffba"
        }
      ],
      "source": {
        "advisory": "GHSA-m7pq-h9p4-8rr4",
        "discovery": "UNKNOWN"
      },
      "title": "Local privilege escalation in make-initrd-ng"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-32438",
    "datePublished": "2025-04-15T19:57:04.668Z",
    "dateReserved": "2025-04-08T10:54:58.368Z",
    "dateUpdated": "2025-04-15T20:08:58.816Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Requirements

Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible.

Mitigation
Implementation

Try to store sensitive tempfiles in a directory which is not world readable -- i.e., per-user directories.

Mitigation
Implementation

Avoid using vulnerable temp file functions.

No CAPEC attack patterns related to this CWE.