CWE-377
Allowed-with-ReviewInsecure Temporary File
Abstraction: Class · Status: Incomplete
Creating and using insecure temporary files can leave application and system data vulnerable to attack.
170 vulnerabilities reference this CWE, most recent first.
GHSA-CR5Q-6Q9F-RQ6Q
Vulnerability from github – Published: 2023-08-23 20:36 – Updated: 2025-02-18 22:32There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.
Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5
Impact
ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.
Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
To work around this issue, you can set your umask to be more restrictive like this:
$ umask 0077
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "activesupport"
},
"ranges": [
{
"events": [
{
"introduced": "5.2.0"
},
{
"fixed": "6.1.7.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "activesupport"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-38037"
],
"database_specific": {
"cwe_ids": [
"CWE-377",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-23T20:36:24Z",
"nvd_published_at": "2025-01-09T01:15:07Z",
"severity": "MODERATE"
},
"details": "There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.\n\nVersions Affected: \u003e= 5.2.0 Not affected: \u003c 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5\n\n# Impact\nActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file\u2019s permissions are defaulted to the user\u2019s current umask settings, meaning that it\u2019s possible for other users on the same system to read the contents of the temporary file.\n\nAttackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\n\n# Releases\nThe fixed releases are available at the normal locations.\n\n# Workarounds\nTo work around this issue, you can set your umask to be more restrictive like this:\n\n```ruby\n$ umask 0077\n```",
"id": "GHSA-cr5q-6q9f-rq6q",
"modified": "2025-02-18T22:32:50Z",
"published": "2023-08-23T20:36:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38037"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731"
},
{
"type": "WEB",
"url": "https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/releases/tag/v7.0.7.1"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250214-0010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Active Support Possibly Discloses Locally Encrypted Files"
}
GHSA-F35P-MP22-6W3M
Vulnerability from github – Published: 2025-08-26 06:31 – Updated: 2025-08-26 06:31A vulnerability was detected in Mihomo Party up to 1.8.1 on macOS. Affected is the function enableSysProxy of the file src/main/sys/sysproxy.ts of the component Socket Handler. The manipulation results in creation of temporary file with insecure permissions. The attack requires a local approach. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit is now public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-9474"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-26T05:15:33Z",
"severity": "LOW"
},
"details": "A vulnerability was detected in Mihomo Party up to 1.8.1 on macOS. Affected is the function enableSysProxy of the file src/main/sys/sysproxy.ts of the component Socket Handler. The manipulation results in creation of temporary file with insecure permissions. The attack requires a local approach. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit is now public and may be used.",
"id": "GHSA-f35p-mp22-6w3m",
"modified": "2025-08-26T06:31:00Z",
"published": "2025-08-26T06:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9474"
},
{
"type": "WEB",
"url": "https://github.com/SwayZGl1tZyyy/n-days/blob/main/mihomo-party/README.md"
},
{
"type": "WEB",
"url": "https://github.com/SwayZGl1tZyyy/n-days/blob/main/mihomo-party/README.md#proof-of-concept-1"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.321343"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.321343"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.634656"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F4JH-WW96-9H9J
Vulnerability from github – Published: 2021-03-30 16:23 – Updated: 2021-03-30 16:22Impact
When File.createTempFile creates a file, the permissions on that file are -rw-r--r--. This means that other users can read the contents of these files after they are written, although they can not modify the contents. This allows for local information disclosure if these files contain sensitive information.
Vulnerable locations: - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/backup/MetaData.java#L106-L111 - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/identity/DoubleRing.java#L109-L118 - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/restore/PostRestoreHook.java#L80-L86
The custom CodeQL queries leveraged to find these this as well as their results can be found here:
https://lgtm.com/query/1543383251073929777/ https://lgtm.com/query/3142895023158674709/
Official Disclosure
https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md
Fix
There are no fixed versions.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.netflix.priam:priam"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.1.104"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-28100"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-30T16:22:43Z",
"nvd_published_at": "2021-03-23T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen `File.createTempFile` creates a file, the permissions on that file are -rw-r--r--. This means that other users can read the contents of these files after they are written, although they can not modify the contents. This allows for local information disclosure if these files contain sensitive information.\n\nVulnerable locations:\n - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/backup/MetaData.java#L106-L111\n - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/identity/DoubleRing.java#L109-L118\n - https://github.com/Netflix/Priam/blob/362660bb7ebddb0cfa756a282d94678f65af9f06/priam/src/main/java/com/netflix/priam/restore/PostRestoreHook.java#L80-L86\n\n---\n\nThe custom CodeQL queries leveraged to find these this as well as their results can be found here:\n\nhttps://lgtm.com/query/1543383251073929777/\nhttps://lgtm.com/query/3142895023158674709/\n\n## Official Disclosure\n\nhttps://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2021-002.md\n\n## Fix\n\nThere are no fixed versions.",
"id": "GHSA-f4jh-ww96-9h9j",
"modified": "2021-03-30T16:22:43Z",
"published": "2021-03-30T16:23:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-f4jh-ww96-9h9j"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Netflix/Priam: Temporary Directory Information Disclosure"
}
GHSA-F8VX-Q848-4V5X
Vulnerability from github – Published: 2026-03-25 21:30 – Updated: 2026-03-25 21:30A vulnerability was detected in Enter Software Iperius Backup bis 8.7.3. Affected is an unknown function of the file C:\ProgramData\IperiusBackup\Jobs\ of the component Backup Service. Performing a manipulation results in creation of temporary file with insecure permissions. The attack is only possible with local access. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit is now public and may be used. Upgrading to version 8.7.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
{
"affected": [],
"aliases": [
"CVE-2026-4822"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T21:16:48Z",
"severity": "HIGH"
},
"details": "A vulnerability was detected in Enter Software Iperius Backup bis 8.7.3. Affected is an unknown function of the file C:\\ProgramData\\IperiusBackup\\Jobs\\ of the component Backup Service. Performing a manipulation results in creation of temporary file with insecure permissions. The attack is only possible with local access. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit is now public and may be used. Upgrading to version 8.7.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.",
"id": "GHSA-f8vx-q848-4v5x",
"modified": "2026-03-25T21:30:36Z",
"published": "2026-03-25T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4822"
},
{
"type": "WEB",
"url": "https://github.com/0truust/iperius-backup-security-advisories/blob/main/advisories/arbitrary-file-disclosure.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.353122"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.353122"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.774209"
},
{
"type": "WEB",
"url": "https://www.iperiusbackup.com/download-software-backup.aspx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FFHX-2RRF-9C23
Vulnerability from github – Published: 2024-06-12 09:30 – Updated: 2024-11-12 18:30A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. If Nano is killed while editing, a file it saves to an emergency file with the permissions of the running user provides a window of opportunity for attackers to escalate privileges through a malicious symlink.
{
"affected": [],
"aliases": [
"CVE-2024-5742"
],
"database_specific": {
"cwe_ids": [
"CWE-377",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-12T09:15:23Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. If Nano is killed while editing, a file it saves to an emergency file with the permissions of the running user provides a window of opportunity for attackers to escalate privileges through a malicious symlink.",
"id": "GHSA-ffhx-2rrf-9c23",
"modified": "2024-11-12T18:30:50Z",
"published": "2024-06-12T09:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5742"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6986"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:9430"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-5742"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278574"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00006.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FQH9-2QGG-H84H
Vulnerability from github – Published: 2022-05-17 04:01 – Updated: 2024-09-23 19:26FileSystemBytecodeCache in Jinja2 prior to version 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Jinja2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-0012"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-14T00:58:39Z",
"nvd_published_at": "2014-05-19T14:55:00Z",
"severity": "MODERATE"
},
"details": "FileSystemBytecodeCache in Jinja2 prior to version 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user\u0027s uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.",
"id": "GHSA-fqh9-2qgg-h84h",
"modified": "2024-09-23T19:26:46Z",
"published": "2022-05-17T04:01:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0012"
},
{
"type": "WEB",
"url": "https://github.com/mitsuhiko/jinja2/pull/292"
},
{
"type": "WEB",
"url": "https://github.com/mitsuhiko/jinja2/pull/296"
},
{
"type": "WEB",
"url": "https://github.com/pallets/jinja2/pull/292"
},
{
"type": "WEB",
"url": "https://github.com/pallets/jinja2/pull/296"
},
{
"type": "WEB",
"url": "https://github.com/mitsuhiko/jinja2/commit/acb672b6a179567632e032f547582f30fa2f4aa7"
},
{
"type": "WEB",
"url": "https://github.com/pallets/jinja/commit/acb672b6a179567632e032f547582f30fa2f4aa7"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734747"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1051421"
},
{
"type": "PACKAGE",
"url": "https://github.com/pallets/jinja2"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/jinja2/PYSEC-2014-82.yaml"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2014/q1/73"
},
{
"type": "WEB",
"url": "http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Insecure Temporary File in Jinja2"
}
GHSA-G2JW-FQX3-5MWQ
Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2022-05-13 01:16The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks.
{
"affected": [],
"aliases": [
"CVE-2015-5224"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-23T15:29:00Z",
"severity": "CRITICAL"
},
"details": "The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks.",
"id": "GHSA-g2jw-fqx3-5mwq",
"modified": "2022-05-13T01:16:19Z",
"published": "2022-05-13T01:16:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5224"
},
{
"type": "WEB",
"url": "https://github.com/karelzak/util-linux/commit/bde91c85bdc77975155058276f99d2e0f5eab5a9"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1256686"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/08/24/3"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/76467"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G4MQ-6FP5-QWCF
Vulnerability from github – Published: 2021-04-20 16:46 – Updated: 2024-11-18 16:26A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p "; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc//cmdline'.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0a1"
},
{
"fixed": "2.8.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0a1"
},
{
"fixed": "2.9.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-1733"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-377",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-05T18:50:43Z",
"nvd_published_at": "2020-03-11T19:15:00Z",
"severity": "LOW"
},
"details": "A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 \u0026\u0026 mkdir -p \u003cdir\u003e\"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating \u0027/proc/\u003cpid\u003e/cmdline\u0027.",
"id": "GHSA-g4mq-6fp5-qwcf",
"modified": "2024-11-18T16:26:12Z",
"published": "2021-04-20T16:46:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1733"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/issues/67791"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/80b9a0a25c5f75e84aefc8f2b293fb1933b154f2"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/8251d9f4c2bc82632ab992277fcd30ccbf87aa47"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/ecf99d5e1ff732a7777010facd6c98bb0994605e"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-g4mq-6fp5-qwcf"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-5.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202006-11"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4950"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Ansible vulnerable to Exposure of Resource to Wrong Sphere and Insecure Temporary File"
}
GHSA-GC5V-M9X4-R6X2
Vulnerability from github – Published: 2026-03-25 16:56 – Updated: 2026-03-27 22:07Impact
The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.
Affected usages
Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.
Remediation
Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.
If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "requests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.33.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25645"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-25T16:56:28Z",
"nvd_published_at": "2026-03-25T17:16:52Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.\n\n### Affected usages\n**Standard usage of the Requests library is not affected by this vulnerability.** Only applications that call `extract_zipped_paths()` directly are impacted.\n\n### Remediation\nUpgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.\n\nIf developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.",
"id": "GHSA-gc5v-m9x4-r6x2",
"modified": "2026-03-27T22:07:42Z",
"published": "2026-03-25T16:56:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25645"
},
{
"type": "WEB",
"url": "https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7"
},
{
"type": "PACKAGE",
"url": "https://github.com/psf/requests"
},
{
"type": "WEB",
"url": "https://github.com/psf/requests/releases/tag/v2.33.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function"
}
GHSA-GG57-WG6F-C8VG
Vulnerability from github – Published: 2026-06-01 21:30 – Updated: 2026-06-01 21:30CodexBar prior to 0.32.0 contains a privilege escalation vulnerability in the CLI installer that allows local attackers to execute arbitrary commands as root by exploiting a race condition in temporary file handling. The installer creates a temporary file with mktemp, writes a privileged shell payload into it, and executes it with administrator privileges via bash, allowing a same-user local process to rewrite the installer body before the administrator prompt is approved, causing attacker-controlled commands to run as root.
{
"affected": [],
"aliases": [
"CVE-2026-49134"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-01T21:16:46Z",
"severity": "HIGH"
},
"details": "CodexBar prior to 0.32.0 contains a privilege escalation vulnerability in the CLI installer that allows local attackers to execute arbitrary commands as root by exploiting a race condition in temporary file handling. The installer creates a temporary file with mktemp, writes a privileged shell payload into it, and executes it with administrator privileges via bash, allowing a same-user local process to rewrite the installer body before the administrator prompt is approved, causing attacker-controlled commands to run as root.",
"id": "GHSA-gg57-wg6f-c8vg",
"modified": "2026-06-01T21:30:45Z",
"published": "2026-06-01T21:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49134"
},
{
"type": "WEB",
"url": "https://github.com/steipete/CodexBar/pull/1222"
},
{
"type": "WEB",
"url": "https://github.com/steipete/CodexBar/commit/dbc944d46cd4cf7877d1ca47c44556fe573b46e8"
},
{
"type": "WEB",
"url": "https://github.com/steipete/CodexBar/releases/tag/v0.32.0"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/codexbar-privilege-escalation-via-cli-installer-temp-file"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
CAPEC-149: Explore for Predictable Temporary File Names
An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target. This involves analyzing naming conventions and storage locations of the temporary files created by a target application. If an attacker can predict the names of temporary files they can use this information to mount other attacks, such as information gathering and symlink attacks.
CAPEC-155: Screen Temporary Files for Sensitive Information
An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache.