Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0yYzZnLXBmeDMtdzdoOM4ABDaq

Insecure Temporary File in RESTEasy

Impact

In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.

Patches

Fixed in the following pull requests:

Workarounds

There is no workaround for this issue.

References

Permalink: https://github.com/advisories/GHSA-2c6g-pfx3-w7h8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yYzZnLXBmeDMtdzdoOM4ABDaq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 14 days ago
Updated: 14 days ago


CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Percentage: 0.00042
EPSS Percentile: 0.05089

Identifiers: GHSA-2c6g-pfx3-w7h8, CVE-2023-0482
References: Repository: https://github.com/resteasy/resteasy
Blast Radius: 18.0

Affected Packages

maven:org.jboss.resteasy:resteasy-core
Dependent packages: 158
Dependent repositories: 357
Downloads:
Affected Version Ranges: < 3.15.4.Final, >= 4.0.0.Beta1, < 4.7.8.Final, >= 5.0.0.Alpha1, < 5.0.6.Final, >= 6.0.0.Beta1, < 6.2.3.Final
Fixed in: 3.15.5.Final, 4.7.8.Final, 5.0.6.Final, 6.2.3.Final
All affected versions:
All unaffected versions:
maven:org.jboss.resteasy:resteasy-multipart-provider
Dependent packages: 249
Dependent repositories: 1,874
Downloads:
Affected Version Ranges: < 3.15.4.Final, >= 4.0.0.Beta1, < 4.7.8.Final, >= 5.0.0.Alpha1, < 5.0.6.Final, >= 6.0.0.Beta1, < 6.2.3.Final
Fixed in: 3.15.5.Final, 4.7.8.Final, 5.0.6.Final, 6.2.3.Final
All affected versions:
All unaffected versions: