ghsa-g88v-2j67-9rmx
Vulnerability from github
Published
2025-05-27 18:00
Modified
2025-05-28 14:29
Severity ?
1.2 (Low) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
Summary
Fess has Insecure Temporary File Permissions
Details

Summary

Fess (an open-source Enterprise Search Server) creates temporary files without restrictive permissions, which may allow local attackers to read sensitive information from these temporary files.

Details

The createTempFile() method in org.codelibs.fess.helper.SystemHelper creates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local users to access sensitive data contained in these files.

Impact

This issue primarily affects environments where Fess is deployed in a shared or multi-user context. Typical single-user or isolated deployments have minimal or negligible practical impact.

Workarounds

Ensure local access to the environment running Fess is restricted to trusted users only.

References

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.codelibs.fess:fess"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.19.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48382"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-27T18:00:48Z",
    "nvd_published_at": "2025-05-27T05:15:24Z",
    "severity": "LOW"
  },
  "details": "### Summary\nFess (an open-source Enterprise Search Server) creates temporary files without restrictive permissions, which may allow local attackers to read sensitive information from these temporary files.\n\n### Details\nThe `createTempFile()` method in `org.codelibs.fess.helper.SystemHelper` creates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local users to access sensitive data contained in these files.\n\n### Impact\nThis issue primarily affects environments where Fess is deployed in a shared or multi-user context. Typical single-user or isolated deployments have minimal or negligible practical impact.\n\n### Workarounds\nEnsure local access to the environment running Fess is restricted to trusted users only.\n\n### References\n- [CVE-2022-24823: Netty temporary file permissions vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2022-24823)",
  "id": "GHSA-g88v-2j67-9rmx",
  "modified": "2025-05-28T14:29:46Z",
  "published": "2025-05-27T18:00:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/codelibs/fess/security/advisories/GHSA-g88v-2j67-9rmx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48382"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codelibs/fess/commit/25b2009fea2a0f6ccd5aa8154aa54b536c08f6c4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/codelibs/fess"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fess has Insecure Temporary File Permissions"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.