Headline
GHSA-j75r-vf64-6rrh: RestEasy Reactive implementation of Quarkus allows Creation of Temporary File With Insecure Permissions
In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile()
is used in the FileBodyHandler
class which creates temp files with insecure permissions that could be read by a local user.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-0481
RestEasy Reactive implementation of Quarkus allows Creation of Temporary File With Insecure Permissions
Moderate severity GitHub Reviewed Published Feb 24, 2023 to the GitHub Advisory Database • Updated Feb 24, 2023
Package
maven io.quarkus.resteasy.reactive:resteasy-reactive-common-parent (Maven)
Affected versions
< 3.0.0.Alpha4
Patched versions
3.0.0.Alpha4
Published by the National Vulnerability Database
Feb 24, 2023
Published to the GitHub Advisory Database
Feb 24, 2023
Last updated
Feb 24, 2023
Related news
A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.
An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45787: A flaw was found in Apache James's Mime4j TempFileStorageProvider class, where it may set improper permissions when utilizing temporary files. This flaw allows a locally authorized attacker to access information outside their intended permissions. * CVE-2023-0481: In RestEasy Reactive implementation of Quarkus the insecure File.createTempFi...
In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.