CWE-379
AllowedCreation of Temporary File in Directory with Insecure Permissions
Abstraction: Base · Status: Incomplete
The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
112 vulnerabilities reference this CWE, most recent first.
GHSA-7G45-4RM6-3MM3
Vulnerability from github – Published: 2023-06-14 18:30 – Updated: 2025-11-04 16:44Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.google.guava:guava"
},
"ranges": [
{
"events": [
{
"introduced": "1.0"
},
{
"fixed": "32.0.0-android"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-2976"
],
"database_specific": {
"cwe_ids": [
"CWE-379",
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-14T21:01:07Z",
"nvd_published_at": "2023-06-14T18:15:09Z",
"severity": "MODERATE"
},
"details": "Use of Java\u0027s default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\n\nEven though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.",
"id": "GHSA-7g45-4rm6-3mm3",
"modified": "2025-11-04T16:44:26Z",
"published": "2023-06-14T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2976"
},
{
"type": "WEB",
"url": "https://github.com/google/guava/issues/2575"
},
{
"type": "WEB",
"url": "https://github.com/google/guava/issues/6532"
},
{
"type": "WEB",
"url": "https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284"
},
{
"type": "PACKAGE",
"url": "https://github.com/google/guava"
},
{
"type": "WEB",
"url": "https://github.com/google/guava/releases/tag/v32.0.0"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230818-0008"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20241108-0002"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Guava vulnerable to insecure use of temporary directory"
}
GHSA-85RF-RP2V-42MG
Vulnerability from github – Published: 2021-11-19 00:00 – Updated: 2021-11-19 00:00Adobe Creative Cloud version 5.5 (and earlier) are affected by an Application denial of service vulnerability in the Creative Cloud Desktop installer. An authenticated attacker could leverage this vulnerability to achieve denial of service in the context of the user. User interaction is required before product installation to abuse this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-43017"
],
"database_specific": {
"cwe_ids": [
"CWE-379"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-18T19:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Creative Cloud version 5.5 (and earlier) are affected by an Application denial of service vulnerability in the Creative Cloud Desktop installer. An authenticated attacker could leverage this vulnerability to achieve denial of service in the context of the user. User interaction is required before product installation to abuse this vulnerability.",
"id": "GHSA-85rf-rp2v-42mg",
"modified": "2021-11-19T00:00:28Z",
"published": "2021-11-19T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43017"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/creative-cloud/apsb21-111.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-867Q-77CC-98MV
Vulnerability from github – Published: 2021-04-29 21:51 – Updated: 2021-05-10 19:29Impact
Using File.createTempFile in JDK will result in creating and using insecure temporary files that can leave application and system data vulnerable to attacks. This vulnerability only impacts unix-like systems where the local system temporary directory is shared between all users. This vulnerability does not impact Windows or modern versions of MacOS.
OpenAPI Generator Maven plug-in creates insecure temporary files during the code generation process. It creates insecure temporary files to store the OpenAPI specification files provided by the users and these temporary files can be read by any users in the system.
The impact of this vulnerability is information disclosure of the contents of the specification file to other local users.
Patches
The issue has been patched with Files.createTempFile and released in the v5.1.0 stable version.
For more information
If you have any questions or comments about this advisory: * Open an issue in OpenAPI Generator Github repo * Email us at security@openapitools.org
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.openapitools:openapi-generator-maven-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21429"
],
"database_specific": {
"cwe_ids": [
"CWE-377",
"CWE-378",
"CWE-379",
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-27T19:58:51Z",
"nvd_published_at": "2021-04-27T20:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nUsing `File.createTempFile` in JDK will result in creating and using insecure temporary files that can leave application and system data vulnerable to attacks. This vulnerability only impacts unix-like systems where the local system temporary directory is shared between all users. This vulnerability does not impact Windows or modern versions of MacOS.\n\nOpenAPI Generator Maven plug-in creates insecure temporary files during the code generation process. It creates insecure temporary files to store the OpenAPI specification files provided by the users and these temporary files can be read by any users in the system.\n\nThe impact of this vulnerability is information disclosure of the contents of the specification file to other local users.\n\n### Patches\nThe issue has been patched with `Files.createTempFile` and released in the v5.1.0 stable version.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [OpenAPI Generator Github repo](https://github.com/openAPITools/openapi-generator/)\n* Email us at [security@openapitools.org](mailto:security@openapitools.org)",
"id": "GHSA-867q-77cc-98mv",
"modified": "2021-05-10T19:29:52Z",
"published": "2021-04-29T21:51:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-867q-77cc-98mv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21429"
},
{
"type": "WEB",
"url": "https://github.com/OpenAPITools/openapi-generator/pull/8795"
},
{
"type": "WEB",
"url": "https://github.com/OpenAPITools/openapi-generator/blob/06ad7a51eff04393203cfa715e54e1fb59d984fe/modules/openapi-generator-maven-plugin/src/main/java/org/openapitools/codegen/plugin/CodeGenMojo.java#L782-L799"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Creation of Temporary File in Directory with Insecure Permissions in the OpenAPI Generator Maven plugin"
}
GHSA-87WV-CCH6-JJH9
Vulnerability from github – Published: 2024-11-16 00:31 – Updated: 2024-11-16 00:31A maliciously crafted DLL file when placed in temporary files and folders that are leveraged by the Autodesk Installer could lead to escalation of privileges to NT AUTHORITY/SYSTEM due to insecure privilege management.
{
"affected": [],
"aliases": [
"CVE-2024-9500"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-379"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-15T22:15:16Z",
"severity": "HIGH"
},
"details": "A maliciously crafted DLL file when placed in temporary files and folders that are leveraged by the Autodesk Installer could lead to escalation of privileges to NT AUTHORITY/SYSTEM due to insecure privilege management.",
"id": "GHSA-87wv-cch6-jjh9",
"modified": "2024-11-16T00:31:51Z",
"published": "2024-11-16T00:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9500"
},
{
"type": "WEB",
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-92HR-CJP6-738X
Vulnerability from github – Published: 2025-12-09 21:31 – Updated: 2025-12-09 21:31Creative Cloud Desktop versions 6.4.0.361 and earlier are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to disrupt the application's functionality by manipulating temporary files. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2025-64896"
],
"database_specific": {
"cwe_ids": [
"CWE-379"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T21:15:59Z",
"severity": "MODERATE"
},
"details": "Creative Cloud Desktop versions 6.4.0.361 and earlier are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to disrupt the application\u0027s functionality by manipulating temporary files. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-92hr-cjp6-738x",
"modified": "2025-12-09T21:31:49Z",
"published": "2025-12-09T21:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64896"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/creative-cloud/apsb25-120.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-94QM-CPMJ-PVCV
Vulnerability from github – Published: 2022-06-16 00:00 – Updated: 2022-06-16 00:00Adobe Lightroom Classic 10.3 (and earlier) are affected by a privilege escalation vulnerability in the Offline Lightroom Classic installer. An authenticated attacker could leverage this vulnerability to escalate privileges. User interaction is required before product installation to abuse this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-40776"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-379"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-15T19:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Lightroom Classic 10.3 (and earlier) are affected by a privilege escalation vulnerability in the Offline Lightroom Classic installer. An authenticated attacker could leverage this vulnerability to escalate privileges. User interaction is required before product installation to abuse this vulnerability.",
"id": "GHSA-94qm-cpmj-pvcv",
"modified": "2022-06-16T00:00:21Z",
"published": "2022-06-16T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40776"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/lightroom/apsb21-97.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-95H7-88RJ-5GC6
Vulnerability from github – Published: 2024-01-11 00:30 – Updated: 2025-11-04 21:31An issue was addressed with improved handling of temporary files. This issue is fixed in macOS Sonoma 14, iOS 16.7 and iPadOS 16.7. An app may be able to access edited photos saved to a temporary directory.
{
"affected": [],
"aliases": [
"CVE-2023-40438"
],
"database_specific": {
"cwe_ids": [
"CWE-379"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-10T22:15:48Z",
"severity": "MODERATE"
},
"details": "An issue was addressed with improved handling of temporary files. This issue is fixed in macOS Sonoma 14, iOS 16.7 and iPadOS 16.7. An app may be able to access edited photos saved to a temporary directory.",
"id": "GHSA-95h7-88rj-5gc6",
"modified": "2025-11-04T21:31:03Z",
"published": "2024-01-11T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40438"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213927"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213940"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213927"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213940"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9HM6-HX4J-G3X5
Vulnerability from github – Published: 2023-01-18 21:30 – Updated: 2023-01-26 18:30Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could result in privilege escalation in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2023-21611"
],
"database_specific": {
"cwe_ids": [
"CWE-379",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-18T19:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier) and 20.005.30418 (and earlier) are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could result in privilege escalation in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-9hm6-hx4j-g3x5",
"modified": "2023-01-26T18:30:47Z",
"published": "2023-01-18T21:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21611"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb23-01.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9W2P-RH8C-V9G5
Vulnerability from github – Published: 2023-12-09 00:39 – Updated: 2024-11-22 20:21Impact
A PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the unprivileged user does not otherwise have access to.
A user is affected if all the following are satisfied:
- The user runs an application containing either
matplotliborwin32com. - The application is ran as administrator (or at least a user with higher privileges than the attacker).
- The user's temporary directory is not locked to that specific user (most likely due to
TMP/TEMPenvironment variables pointing to an unprotected, arbitrary, non default location). - Either:
- The attacker is able to very carefully time the replacement of a temporary file with a symlink. This switch must occur exactly between
shutil.rmtree()'s builtin symlink check and the deletion itself - The application was built with Python 3.7.x or earlier which has no protection against Directory Junctions links
Patches
The vulnerability has been addressed in https://github.com/pyinstaller/pyinstaller/pull/7827 which corresponds to pyinstaller >= 5.13.1
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No workaround, although the attack complexity becomes much higher if the application is built with Python >= 3.8.0.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyinstaller"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.13.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-49797"
],
"database_specific": {
"cwe_ids": [
"CWE-379",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-09T00:39:46Z",
"nvd_published_at": "2023-12-09T01:15:07Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA PyInstaller built application, elevated as a privileged process, may be tricked by an unprivileged attacker into deleting files the unprivileged user does not otherwise have access to.\n\nA user is affected if **all** the following are satisfied:\n\n* The user runs an application containing either `matplotlib` or `win32com`.\n* The application is ran as administrator (or at least a user with higher privileges than the attacker).\n* The user\u0027s temporary directory is not locked to that specific user (most likely due to `TMP`/`TEMP` environment variables pointing to an unprotected, arbitrary, non default location).\n* Either:\n - The attacker is able to very carefully time the replacement of a temporary file with a symlink. This switch must occur exactly between [`shutil.rmtree()`\u0027s builtin symlink check](https://github.com/python/cpython/blob/0fb18b02c8ad56299d6a2910be0bab8ad601ef24/Lib/shutil.py#L623) and the deletion itself\n - The application was built with Python 3.7.x or earlier which has no protection against Directory Junctions links\n\n### Patches\n\nThe vulnerability has been addressed in https://github.com/pyinstaller/pyinstaller/pull/7827 which corresponds to `pyinstaller \u003e= 5.13.1`\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nNo workaround, although the attack complexity becomes much higher if the application is built with Python \u003e= 3.8.0.",
"id": "GHSA-9w2p-rh8c-v9g5",
"modified": "2024-11-22T20:21:21Z",
"published": "2023-12-09T00:39:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-9w2p-rh8c-v9g5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49797"
},
{
"type": "WEB",
"url": "https://github.com/pyinstaller/pyinstaller/pull/7827"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyinstaller/pyinstaller"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyinstaller/PYSEC-2023-292.yaml"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/blob/0fb18b02c8ad56299d6a2910be0bab8ad601ef24/Lib/shutil.py#L623"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2K2XIQLEMZIKUQUOWNDYWTEWYQTKMAN7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ISRWT34FAF23PUOLVZ7RVWBZMWPDR5U7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Local Privilege Escalation in Windows"
}
GHSA-C43Q-5HPJ-4CRV
Vulnerability from github – Published: 2021-04-23 16:55 – Updated: 2021-04-22 19:22Impact
Eclipse Jersey 2.28 - 2.33 and Eclipse Jersey 3.0.0 - 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.
Workaround
This issue can be mitigated by manually setting the java.io.tmpdir system property when launching the JVM.
Patches
Jersey 2.34 and 3.0.2 forward sets the correct permissions on the temporary file created by Jersey.
References
- https://github.com/eclipse-ee4j/jersey/pull/4712
- CWE-378: Creation of Temporary File With Insecure Permissions
- CWE-379: Creation of Temporary File in Directory with Insecure Permissions
Similar Vulnerabilities
Similar, but not the same:
- JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp
- Google Guava - https://github.com/google/guava/issues/4011
- Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945
- JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824
- Eclipse Jetty - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6
Original Disclosure:
Hello Jersey Security Team,
Utilizing a custom CodeQL query written as a part of the GitHub Security Lab Bug Bounty program, I've unearthed a local temporary file information disclosure vulnerability.
You can see the custom CodeQL query utilized here: https://lgtm.com/query/8831016213790320486/
This particular vulnerability exists because on unix-like systems (not including modern versions of MacOS) the system temporary directory is shared between all users. As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.
This vulnerability impacts the following locations in this project's source:
- https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/FileProvider.java#L64-L73
- https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/media/multipart/src/main/java/org/glassfish/jersey/media/multipart/internal/FormDataParamValueParamProvider.java#L202-L208
This vulnerability exists because of the vulnerability in the
Utils.createTempFile:https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java#L42-L53
This is because
File.createTempFilecreates a file inside of the system temporary directory with the permissions:-rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system.If there is sensitive information written to these files, it is disclosed to other local users on this system.
The fix for this vulnerability is to use the
FilesAPI (instead of theFileAPI) to create temporary files/directories as this new API correctly sets the posix file permissions.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.33"
},
"package": {
"ecosystem": "Maven",
"name": "org.glassfish.jersey.core:jersey-common"
},
"ranges": [
{
"events": [
{
"introduced": "2.28"
},
{
"fixed": "2.34"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.1"
},
"package": {
"ecosystem": "Maven",
"name": "org.glassfish.jersey.core:jersey-common"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-28168"
],
"database_specific": {
"cwe_ids": [
"CWE-378",
"CWE-379",
"CWE-668",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-22T19:22:31Z",
"nvd_published_at": "2021-04-22T18:15:00Z",
"severity": "MODERATE"
},
"details": "## Impact\nEclipse Jersey 2.28 - 2.33 and Eclipse Jersey 3.0.0 - 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the `File.createTempFile` which creates a file inside of the system temporary directory with the permissions: `-rw-r--r--`. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.\n\n## Workaround\n\nThis issue can be mitigated by manually setting the `java.io.tmpdir` system property when launching the JVM.\n\n## Patches\n\nJersey 2.34 and 3.0.2 forward sets the correct permissions on the temporary file created by Jersey.\n\n### References\n \n - https://github.com/eclipse-ee4j/jersey/pull/4712\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n\n## Similar Vulnerabilities\n\nSimilar, but not the same:\n\n - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\n - Google Guava - https://github.com/google/guava/issues/4011\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\n - Eclipse Jetty - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\n\n\n---\n\nOriginal Disclosure:\n\n\u003e Hello Jersey Security Team,\n\u003e \n\u003e Utilizing a custom CodeQL query written as a part of the [GitHub Security Lab](https://securitylab.github.com/) [Bug Bounty program](https://securitylab.github.com/bounties), I\u0027ve unearthed a local temporary file information disclosure vulnerability.\n\u003e \n\u003e You can see the custom CodeQL query utilized here:\n\u003e https://lgtm.com/query/8831016213790320486/\n\u003e \n\u003e This particular vulnerability exists because on unix-like systems (not including modern versions of MacOS) the system temporary directory is shared between all users. As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.\n\u003e \n\u003e This vulnerability impacts the following locations in this project\u0027s source:\n\u003e \n\u003e - https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/FileProvider.java#L64-L73\n\u003e - https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/media/multipart/src/main/java/org/glassfish/jersey/media/multipart/internal/FormDataParamValueParamProvider.java#L202-L208\n\u003e \n\u003e This vulnerability exists because of the vulnerability in the `Utils.createTempFile`:\n\u003e \n\u003e https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java#L42-L53\n\u003e \n\u003e This is because `File.createTempFile` creates a file inside of the system temporary directory with the permissions: `-rw-r--r--`. Thus the contents of this file are viewable by all other users locally on the system.\n\u003e \n\u003e If there is sensitive information written to these files, it is disclosed to other local users on this system.\n\u003e \n\u003e The fix for this vulnerability is to use the `Files` API (instead of the `File` API) to create temporary files/directories as this new API correctly sets the posix file permissions.",
"id": "GHSA-c43q-5hpj-4crv",
"modified": "2021-04-22T19:22:31Z",
"published": "2021-04-23T16:55:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28168"
},
{
"type": "WEB",
"url": "https://github.com/eclipse-ee4j/jersey/pull/4712"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc@%3Cdev.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1@%3Ccommits.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a@%3Cjira.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359@%3Cdev.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa@%3Ccommits.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Local information disclosure via system temporary directory"
}
Mitigation
Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible.
Mitigation
Try to store sensitive tempfiles in a directory which is not world readable -- i.e., per-user directories.
Mitigation
Avoid using vulnerable temp file functions.
No CAPEC attack patterns related to this CWE.