CWE-379
AllowedCreation of Temporary File in Directory with Insecure Permissions
Abstraction: Base · Status: Incomplete
The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
112 vulnerabilities reference this CWE, most recent first.
GHSA-PC22-3G76-GM6J
Vulnerability from github – Published: 2021-03-11 03:09 – Updated: 2021-03-22 23:45Impact
On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory.
This vulnerability is local privilege escalation because the contents of the outputFolder can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.
Java Code
The method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.
https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185
Patches
Fix has been applied to the master branch with:
- https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89
included in release: 2.4.19
References
- CWE-378: Creation of Temporary File With Insecure Permissions
- CWE-379: Creation of Temporary File in Directory with Insecure Permissions
For more information
If you have any questions or comments about this advisory:
- Email us at security@swagger.io
Original vulnerability report
I'm performing OSS security research under the GitHub Security Lab Bug Bounty program. I've been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries.
- https://github.com/github/codeql/pull/4388/files#diff-71d36c0f2bd0b08e32866f873f1c906cdc17277e0ad327c0c6cd2c882f30de4f
- https://github.com/github/codeql/pull/4388/files#diff-1893a18a8bf43c011d61a7889d0139b998a5a78701a30fe7722eddd4c506aaac
- https://github.com/github/codeql/pull/4473
The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users.
This vulnerability exists in the maven plugin.
This vulnerability is distinctly different. This vulnerability is most likely a local privilege escalation vulnerability.
https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185
This vulnerability is very similar to this similar vulnerability I disclosed in the Eclipse Jetty project.
https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6
This is due to a race condition between the call to
deleteand the call tomkdirs.
java // ensure file will always be unique by appending random digits File outputFolder = File.createTempFile("codegen-", "-tmp"); // Attacker knows the full path of the file that will be generated // delete the file that was created outputFolder.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Swagger Code Generator. // and make a directory of the same name // SECURITY VULNERABILITY: Race Condition! - Attacker beats Swagger Code Generator and now owns this directory outputFolder.mkdirs();This vulnerability is local privilege escalation because the contents of the
outputFoldercan be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.The fix here is to switch to the
FilesAPI for creating temporary directories. Which does not contain this race condition, and appropriately sets the correct file permissions.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.swagger:swagger-codegen"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21363"
],
"database_specific": {
"cwe_ids": [
"CWE-378",
"CWE-379"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-11T03:07:41Z",
"nvd_published_at": "2021-03-11T03:15:00Z",
"severity": "LOW"
},
"details": "### Impact\n\nOn Unix like systems, the system\u0027s temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. \n\nThis vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.\n\n#### Java Code\n\nThe method `File.createTempFile` from the JDK is vulnerable to this local information disclosure vulnerability.\n\nhttps://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185\n\n\n### Patches\n\nFix has been applied to the master branch with:\n\n* https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89\n\nincluded in release: 2.4.19\n\n\n### References\n\n* [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n* [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Email us at [security@swagger.io](mailto:security@swagger.io)\n\n#### Original vulnerability report\n\n\u003e I\u0027m performing OSS security research under the GitHub Security Lab Bug Bounty program.\n\u003e I\u0027ve been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries.\n\u003e \n\u003e - https://github.com/github/codeql/pull/4388/files#diff-71d36c0f2bd0b08e32866f873f1c906cdc17277e0ad327c0c6cd2c882f30de4f\n\u003e - https://github.com/github/codeql/pull/4388/files#diff-1893a18a8bf43c011d61a7889d0139b998a5a78701a30fe7722eddd4c506aaac\n\u003e - https://github.com/github/codeql/pull/4473\n\u003e \n\u003e The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users.\n\u003e \n\u003e ---\n\u003e \n\u003e This vulnerability exists in the maven plugin.\n\u003e \n\u003e This vulnerability is distinctly different. This vulnerability is most likely a local privilege escalation vulnerability.\n\u003e \n\u003e https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185\n\u003e \n\u003e This vulnerability is very similar to this similar vulnerability I disclosed in the Eclipse Jetty project.\n\u003e \n\u003e https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\n\u003e \n\u003e This is due to a race condition between the call to `delete` and the call to `mkdirs`.\n\u003e \n\u003e ```java\n\u003e // ensure file will always be unique by appending random digits\n\u003e File outputFolder = File.createTempFile(\"codegen-\", \"-tmp\"); // Attacker knows the full path of the file that will be generated\n\u003e // delete the file that was created\n\u003e outputFolder.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Swagger Code Generator.\n\u003e // and make a directory of the same name\n\u003e // SECURITY VULNERABILITY: Race Condition! - Attacker beats Swagger Code Generator and now owns this directory\n\u003e outputFolder.mkdirs();\n\u003e ```\n\u003e \n\u003e This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.\n\u003e \n\u003e The fix here is to switch to the `Files` API for creating temporary directories. Which does not contain this race condition, and appropriately sets the correct file permissions.\n\u003e ",
"id": "GHSA-pc22-3g76-gm6j",
"modified": "2021-03-22T23:45:20Z",
"published": "2021-03-11T03:09:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21363"
},
{
"type": "WEB",
"url": "https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory"
}
GHSA-PMMG-4G9W-JF76
Vulnerability from github – Published: 2023-07-27 06:30 – Updated: 2024-04-04 06:23Dell Power Manager, Versions 3.3 to 3.14 contains an Improper Access Control vulnerability. A low-privileged malicious user may potentially exploit this vulnerability to perform arbitrary code execution with limited access.
{
"affected": [],
"aliases": [
"CVE-2023-32450"
],
"database_specific": {
"cwe_ids": [
"CWE-379"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-27T05:15:10Z",
"severity": "HIGH"
},
"details": "\nDell Power Manager, Versions 3.3 to 3.14 contains an Improper Access Control vulnerability. A low-privileged malicious user may potentially exploit this vulnerability to perform arbitrary code execution with limited access.\n\n",
"id": "GHSA-pmmg-4g9w-jf76",
"modified": "2024-04-04T06:23:43Z",
"published": "2023-07-27T06:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32450"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000215215/dsa-2023-181-dell-power-manager-security-update-for-an-improper-access-control-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q89F-4FM5-5X46
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15Adobe Digital Editions 4.5.11.187646 (and earlier) are affected by a privilege escalation vulnerability in the Digital Editions installer. An authenticated attacker could leverage this vulnerability to escalate privileges. User interaction is required before product installation to abuse this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-39828"
],
"database_specific": {
"cwe_ids": [
"CWE-379"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-27T16:15:00Z",
"severity": "MODERATE"
},
"details": "Adobe Digital Editions 4.5.11.187646 (and earlier) are affected by a privilege escalation vulnerability in the Digital Editions installer. An authenticated attacker could leverage this vulnerability to escalate privileges. User interaction is required before product installation to abuse this vulnerability.",
"id": "GHSA-q89f-4fm5-5x46",
"modified": "2022-05-24T19:15:46Z",
"published": "2022-05-24T19:15:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39828"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/Digital-Editions/apsb21-80.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R2VX-JCP9-XJ38
Vulnerability from github – Published: 2023-04-12 21:30 – Updated: 2023-04-12 21:30Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could result in privilege escalation in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2023-26396"
],
"database_specific": {
"cwe_ids": [
"CWE-379"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-12T21:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could result in privilege escalation in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-r2vx-jcp9-xj38",
"modified": "2023-04-12T21:30:19Z",
"published": "2023-04-12T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26396"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb23-24.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RCJJ-H6GH-JF3R
Vulnerability from github – Published: 2020-12-09 19:03 – Updated: 2024-10-17 16:18Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.codehaus.groovy:groovy"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.4.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.codehaus.groovy:groovy"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.codehaus.groovy:groovy"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.codehaus.groovy:groovy-all"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.4.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.codehaus.groovy:groovy-all"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.codehaus.groovy:groovy-all"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-17521"
],
"database_specific": {
"cwe_ids": [
"CWE-379"
],
"github_reviewed": true,
"github_reviewed_at": "2020-12-09T19:02:34Z",
"nvd_published_at": "2020-12-07T20:15:00Z",
"severity": "MODERATE"
},
"details": "Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy\u0027s implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.",
"id": "GHSA-rcjj-h6gh-jf3r",
"modified": "2024-10-17T16:18:50Z",
"published": "2020-12-09T19:03:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17521"
},
{
"type": "WEB",
"url": "https://github.com/apache/groovy/pull/1425"
},
{
"type": "WEB",
"url": "https://github.com/apache/groovy/commit/bcbe5c4c76db83736166530647c024ac1e47ef28"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/groovy"
},
{
"type": "WEB",
"url": "https://groovy-lang.org/security.html#CVE-2020-17521"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08@%3Cdev.atlas.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465@%3Cnotifications.groovy.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3@%3Cdev.atlas.apache.org%3E"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20201218-0006"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Information Disclosure in Apache Groovy"
}
GHSA-VP9F-3RQH-83PC
Vulnerability from github – Published: 2024-01-25 18:30 – Updated: 2024-01-25 18:30The C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe process creates a folder at C:\Windows\Temp~nsu.tmp and copies itself to it as Au_.exe. The C:\Windows\Temp~nsu.tmp\Au_.exe file is automatically launched as SYSTEM when the system reboots or when a standard user runs an MSI repair using Splashtop Streamer’s Windows Installer. Since the C:\Windows\Temp~nsu.tmp folder inherits permissions from C:\Windows\Temp and Au_.exe is susceptible to DLL hijacking, standard users can write a malicious DLL to it and elevate their privileges.
{
"affected": [],
"aliases": [
"CVE-2023-3181"
],
"database_specific": {
"cwe_ids": [
"CWE-379"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-25T16:15:07Z",
"severity": "HIGH"
},
"details": "The C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\uninst.exe process creates a folder at C:\\Windows\\Temp~nsu.tmp and copies itself to it as Au_.exe. The C:\\Windows\\Temp~nsu.tmp\\Au_.exe file is automatically launched as SYSTEM when the system reboots or when a standard user runs an MSI repair using Splashtop Streamer\u2019s Windows Installer. Since the C:\\Windows\\Temp~nsu.tmp folder inherits permissions from C:\\Windows\\Temp and Au_.exe is susceptible to DLL hijacking, standard users can write a malicious DLL to it and elevate their privileges.",
"id": "GHSA-vp9f-3rqh-83pc",
"modified": "2024-01-25T18:30:50Z",
"published": "2024-01-25T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3181"
},
{
"type": "WEB",
"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0015.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WC69-M7G2-2PCM
Vulnerability from github – Published: 2025-01-02 18:30 – Updated: 2025-10-07 15:30A vulnerability in Forescout SecureConnector v11.3.07.0109 on Windows allows
unauthenticated user to modify compliance scripts due to insecure temporary directory.
{
"affected": [],
"aliases": [
"CVE-2024-9950"
],
"database_specific": {
"cwe_ids": [
"CWE-379"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-02T16:15:08Z",
"severity": "HIGH"
},
"details": "A vulnerability in Forescout SecureConnector v11.3.07.0109\u00a0on Windows allows \n\nunauthenticated user to modify compliance scripts due to insecure temporary directory.",
"id": "GHSA-wc69-m7g2-2pcm",
"modified": "2025-10-07T15:30:24Z",
"published": "2025-01-02T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9950"
},
{
"type": "WEB",
"url": "https://support.forescout.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WCRW-WHFV-8V36
Vulnerability from github – Published: 2025-12-09 00:31 – Updated: 2025-12-09 00:31IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may expose sensitive information to an authenticated user due to race condition attacks.
{
"affected": [],
"aliases": [
"CVE-2025-33111"
],
"database_specific": {
"cwe_ids": [
"CWE-379"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-08T22:15:51Z",
"severity": "MODERATE"
},
"details": "IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may expose sensitive information to an authenticated user due to race condition attacks.",
"id": "GHSA-wcrw-whfv-8v36",
"modified": "2025-12-09T00:31:16Z",
"published": "2025-12-09T00:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33111"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7253273"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WQH9-PJHR-MH8Q
Vulnerability from github – Published: 2026-04-05 21:30 – Updated: 2026-04-05 21:30WinRAR 5.61 contains a denial of service vulnerability that allows local attackers to crash the application by placing a malformed winrar.lng language file in the installation directory. Attackers can trigger the crash by opening an archive and pressing the test button, causing an access violation at memory address 004F1DB8 when the application attempts to read invalid data.
{
"affected": [],
"aliases": [
"CVE-2019-25677"
],
"database_specific": {
"cwe_ids": [
"CWE-379"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-05T21:16:45Z",
"severity": "MODERATE"
},
"details": "WinRAR 5.61 contains a denial of service vulnerability that allows local attackers to crash the application by placing a malformed winrar.lng language file in the installation directory. Attackers can trigger the crash by opening an archive and pressing the test button, causing an access violation at memory address 004F1DB8 when the application attempts to read invalid data.",
"id": "GHSA-wqh9-pjhr-mh8q",
"modified": "2026-04-05T21:30:20Z",
"published": "2026-04-05T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25677"
},
{
"type": "WEB",
"url": "https://win-rar.com/predownload.html?spV=true\u0026subD=true\u0026f=wrar561tr.exe"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46432"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/winrar-denial-of-service-via-malformed-language-file"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WXVP-8Q8H-R6RR
Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2024-01-17 15:47The theme implementation in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 triggers duplicate caching of Cascading Style Sheets (CSS) and JavaScript content, which allows remote attackers to bypass intended access restrictions and write to an operating-system temporary directory via unspecified vectors.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "2.0"
},
{
"fixed": "2.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "2.1"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2011-4293"
],
"database_specific": {
"cwe_ids": [
"CWE-379"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-17T15:47:30Z",
"nvd_published_at": "2012-07-16T10:28:00Z",
"severity": "MODERATE"
},
"details": "The theme implementation in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 triggers duplicate caching of Cascading Style Sheets (CSS) and JavaScript content, which allows remote attackers to bypass intended access restrictions and write to an operating-system temporary directory via unspecified vectors.",
"id": "GHSA-wxvp-8q8h-r6rr",
"modified": "2024-01-17T15:47:30Z",
"published": "2022-05-13T01:13:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4293"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/05f4555422278190ec24a88466ac43c914a7e5d6"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/9a380fbb53429713b3c422a3146456dc97205329"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/e1c2a211f259821910be2cba23679d4176fb00a3"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "http://git.moodle.org/gw?p=moodle.git;a=commit;h=e1c2a211f259821910be2cba23679d4176fb00a3"
},
{
"type": "WEB",
"url": "http://moodle.org/mod/forum/discuss.php?d=182736"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/11/14/1"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Moodle Double-Caches Content, Potentially Writing to a File System\u0027s Tmp Directory"
}
Mitigation
Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible.
Mitigation
Try to store sensitive tempfiles in a directory which is not world readable -- i.e., per-user directories.
Mitigation
Avoid using vulnerable temp file functions.
No CAPEC attack patterns related to this CWE.