Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-j75r-vf64-6rrh: RestEasy Reactive implementation of Quarkus allows Creation of Temporary File With Insecure Permissions

In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.

ghsa
#vulnerability#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-0481

RestEasy Reactive implementation of Quarkus allows Creation of Temporary File With Insecure Permissions

Moderate severity GitHub Reviewed Published Feb 24, 2023 to the GitHub Advisory Database • Updated Feb 24, 2023

Package

maven io.quarkus.resteasy.reactive:resteasy-reactive-common-parent (Maven)

Affected versions

< 3.0.0.Alpha4

Patched versions

3.0.0.Alpha4

Published by the National Vulnerability Database

Feb 24, 2023

Published to the GitHub Advisory Database

Feb 24, 2023

Last updated

Feb 24, 2023

Related news

CVE-2023-2974

A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.

RHSA-2023:3809: Red Hat Security Advisory: Red Hat build of Quarkus 2.13.8 release and security update

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-45787: A flaw was found in Apache James's Mime4j TempFileStorageProvider class, where it may set improper permissions when utilizing temporary files. This flaw allows a locally authorized attacker to access information outside their intended permissions. * CVE-2023-0481: In RestEasy Reactive implementation of Quarkus the insecure File.createTempFi...

CVE-2023-0481: Use newer API for creating tmp files in RESTEasy Reactive by geoand · Pull Request #30694 · quarkusio/quarkus

In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.