Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qNzVyLXZmNjQtNnJyaM4AAxzY
RestEasy Reactive implementation of Quarkus allows Creation of Temporary File With Insecure Permissions
In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qNzVyLXZmNjQtNnJyaM4AAxzY
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 3.3
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00042
EPSS Percentile: 0.05089
Identifiers: GHSA-j75r-vf64-6rrh, CVE-2023-0481
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-0481
- https://github.com/quarkusio/quarkus/pull/30694
- https://github.com/quarkusio/quarkus/commit/95d5904f7cf18c8165b97d8ca03b203d7f69c17e
- https://github.com/advisories/GHSA-j75r-vf64-6rrh
Blast Radius: 6.8
Affected Packages
maven:io.quarkus.resteasy.reactive:resteasy-reactive-common
Dependent packages: 9Dependent repositories: 116
Downloads:
Affected Version Ranges: < 3.0.0.Alpha4
Fixed in: 3.0.0.Alpha4
All affected versions:
All unaffected versions: 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.10.0, 3.10.1, 3.10.2, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.13.0, 3.13.1, 3.13.2, 3.13.3, 3.14.0, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.15.0, 3.15.1, 3.15.2, 3.16.0, 3.16.1, 3.16.2, 3.16.3, 3.16.4, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.17.4, 3.17.5