CWE-378
AllowedCreation of Temporary File With Insecure Permissions
Abstraction: Base · Status: Draft
Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.
85 vulnerabilities reference this CWE, most recent first.
GHSA-GHG9-7QFG-HXJ6
Vulnerability from github – Published: 2026-01-13 18:31 – Updated: 2026-01-13 18:31Dell SupportAssist OS Recovery, versions prior to 5.5.15.1, contain a Creation of Temporary File With Insecure Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information Tampering.
{
"affected": [],
"aliases": [
"CVE-2025-46684"
],
"database_specific": {
"cwe_ids": [
"CWE-378"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T17:15:57Z",
"severity": "MODERATE"
},
"details": "Dell SupportAssist OS Recovery, versions prior to 5.5.15.1, contain a Creation of Temporary File With Insecure Permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information Tampering.",
"id": "GHSA-ghg9-7qfg-hxj6",
"modified": "2026-01-13T18:31:07Z",
"published": "2026-01-13T18:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46684"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000401506/dsa-2025-456"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H732-87V7-7449
Vulnerability from github – Published: 2024-12-25 18:30 – Updated: 2024-12-25 18:30Dell NativeEdge, version(s) 2.1.0.0, contain(s) a Creation of Temporary File With Insecure Permissions vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.
{
"affected": [],
"aliases": [
"CVE-2024-52543"
],
"database_specific": {
"cwe_ids": [
"CWE-378",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-25T16:15:22Z",
"severity": "MODERATE"
},
"details": "Dell NativeEdge, version(s) 2.1.0.0, contain(s) a Creation of Temporary File With Insecure Permissions vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.",
"id": "GHSA-h732-87v7-7449",
"modified": "2024-12-25T18:30:45Z",
"published": "2024-12-25T18:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52543"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000258904/dsa-2024-488-security-update-for-dell-nativeedge-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HPV8-9RQ5-HQ7W
Vulnerability from github – Published: 2021-03-11 03:09 – Updated: 2022-10-25 20:35Impact
This vulnerability impacts generated code. If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually!
On Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default umask settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions -rw-r--r-- and drwxr-xr-x respectively, unless an API that explicitly sets safe file permissions is used.
Java Code
The method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.
- https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/kotlin-client/infrastructure/ApiClient.kt.mustache#L209
- https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/finch/api.mustache#L84
- https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/okhttp-gson/ApiClient.mustache#L831-L834
- https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/jersey2/ApiClient.mustache#L630-L633
Patches
Fix has been applied to the master branch with:
- https://github.com/swagger-api/swagger-codegen/commit/35adbd552d5f99b3ff1e0e59da228becc85190f2
included in release: 2.4.19
Workarounds
Users can remediate the vulnerability in non patched version by manually (or programmatically e.g. in CI) updating the generated source code to use java.nio.files.Files temporary file creation instead of java.io.File, e.g. by changing
if (tempFolderPath == null)
return File.createTempFile(prefix, suffix);
else
return File.createTempFile(prefix, suffix, new File(tempFolderPath));
to
if (tempFolderPath == null)
return Files.createTempFile(prefix, suffix).toFile();
else
return Files.createTempFile(Paths.get(tempFolderPath), prefix, suffix).toFile();
or generally changing:
File.createTempFile(prefix, suffix);
to
Files.createTempFile(prefix, suffix).toFile();
References
- CWE-378: Creation of Temporary File With Insecure Permissions
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-732: Incorrect Permission Assignment for Critical Resource
For more information
If you have any questions or comments about this advisory:
- Email us at security@swagger.io
Original vulnerability report
I'm performing OSS security research under the GitHub Security Lab Bug Bounty program. I've been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries.
- https://github.com/github/codeql/pull/4388/files#diff-71d36c0f2bd0b08e32866f873f1c906cdc17277e0ad327c0c6cd2c882f30de4f
- https://github.com/github/codeql/pull/4388/files#diff-1893a18a8bf43c011d61a7889d0139b998a5a78701a30fe7722eddd4c506aaac
- https://github.com/github/codeql/pull/4473
The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users.
This code exists in the code generator, in the generated code.
In this case, I believe this is only a local information disclosure. IE. another user can read the information, not replace it.
In particular, the method
File.createTempFilefrom the JDK is vulnerable to this local information disclosure vulnerability.This is because
File.createTempFilecreates a file inside of the system temporary directory with the permissions:-rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system.
- https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/kotlin-client/infrastructure/ApiClient.kt.mustache#L209
- https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/finch/api.mustache#L84
- https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/okhttp-gson/ApiClient.mustache#L831-L834
- https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/jersey2/ApiClient.mustache#L630-L633
The fix here is to switch to the
FilesAPI, instead ofFileas that appropriately sets the file permissions.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.swagger:swagger-codegen"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21364"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-378",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-11T03:08:54Z",
"nvd_published_at": "2021-03-11T03:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\n**This vulnerability impacts generated code.** If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually!\n\nOn Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default `umask` settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions `-rw-r--r--` and `drwxr-xr-x` respectively, unless an API that explicitly sets safe file permissions is used.\n\n#### Java Code\n\nThe method `File.createTempFile` from the JDK is vulnerable to this local information disclosure vulnerability.\n\n- https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/kotlin-client/infrastructure/ApiClient.kt.mustache#L209\n- https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/finch/api.mustache#L84\n- https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/okhttp-gson/ApiClient.mustache#L831-L834\n- https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/jersey2/ApiClient.mustache#L630-L633\n\n### Patches\n\nFix has been applied to the master branch with:\n\n* https://github.com/swagger-api/swagger-codegen/commit/35adbd552d5f99b3ff1e0e59da228becc85190f2\n\nincluded in release: 2.4.19\n\n\n### Workarounds\n\nUsers can remediate the vulnerability in non patched version by manually (or programmatically e.g. in CI) updating the generated source code to use `java.nio.files.Files` temporary file creation instead of `java.io.File`, e.g. by changing\n\n```java\n\n if (tempFolderPath == null)\n return File.createTempFile(prefix, suffix);\n else\n return File.createTempFile(prefix, suffix, new File(tempFolderPath));\n\n```\n\nto \n\n```java\n\n if (tempFolderPath == null)\n return Files.createTempFile(prefix, suffix).toFile();\n else\n return Files.createTempFile(Paths.get(tempFolderPath), prefix, suffix).toFile();\n\n```\n\nor generally changing:\n\n```java\n\nFile.createTempFile(prefix, suffix);\n\n```\n\nto \n\n```java\n\nFiles.createTempFile(prefix, suffix).toFile();\n\n```\n\n### References\n\n* [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n* [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html)\n* [CWE-732: Incorrect Permission Assignment for Critical Resource](https://cwe.mitre.org/data/definitions/732.html)\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Email us at [security@swagger.io](mailto:security@swagger.io)\n\n#### Original vulnerability report\n\n\u003e I\u0027m performing OSS security research under the GitHub Security Lab Bug Bounty program.\n\u003e I\u0027ve been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries.\n\u003e \n\u003e - https://github.com/github/codeql/pull/4388/files#diff-71d36c0f2bd0b08e32866f873f1c906cdc17277e0ad327c0c6cd2c882f30de4f\n\u003e - https://github.com/github/codeql/pull/4388/files#diff-1893a18a8bf43c011d61a7889d0139b998a5a78701a30fe7722eddd4c506aaac\n\u003e - https://github.com/github/codeql/pull/4473\n\u003e \n\u003e The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users.\n\u003e \n\u003e ---\n\u003e \n\u003e This code exists in the code generator, in the generated code.\n\u003e \n\u003e In this case, I believe this is only a local information disclosure. IE. another user can read the information, not replace it.\n\u003e \n\u003e In particular, the method `File.createTempFile` from the JDK is vulnerable to this local information disclosure vulnerability.\n\u003e \n\u003e This is because `File.createTempFile` creates a file inside of the system temporary directory with the permissions: `-rw-r--r--`. Thus the contents of this file are viewable by all other users locally on the system.\n\u003e \n\u003e - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/kotlin-client/infrastructure/ApiClient.kt.mustache#L209\n\u003e - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/finch/api.mustache#L84\n\u003e - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/okhttp-gson/ApiClient.mustache#L831-L834\n\u003e - https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-codegen/src/main/resources/Java/libraries/jersey2/ApiClient.mustache#L630-L633\n\u003e \n\u003e The fix here is to switch to the `Files` API, instead of `File` as that appropriately sets the file permissions.\n\u003e ",
"id": "GHSA-hpv8-9rq5-hq7w",
"modified": "2022-10-25T20:35:54Z",
"published": "2021-03-11T03:09:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-hpv8-9rq5-hq7w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21364"
},
{
"type": "WEB",
"url": "https://github.com/swagger-api/swagger-codegen/commit/35adbd552d5f99b3ff1e0e59da228becc85190f2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Generated Code Contains Local Information Disclosure Vulnerability"
}
GHSA-J75R-VF64-6RRH
Vulnerability from github – Published: 2023-02-24 18:30 – Updated: 2023-03-07 04:03In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.quarkus.resteasy.reactive:resteasy-reactive-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.0.Alpha4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-0481"
],
"database_specific": {
"cwe_ids": [
"CWE-378",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-24T19:55:15Z",
"nvd_published_at": "2023-02-24T18:15:00Z",
"severity": "LOW"
},
"details": "In RestEasy Reactive implementation of Quarkus the insecure `File.createTempFile()` is used in the `FileBodyHandler` class which creates temp files with insecure permissions that could be read by a local user.",
"id": "GHSA-j75r-vf64-6rrh",
"modified": "2023-03-07T04:03:37Z",
"published": "2023-02-24T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0481"
},
{
"type": "WEB",
"url": "https://github.com/quarkusio/quarkus/pull/30694"
},
{
"type": "WEB",
"url": "https://github.com/quarkusio/quarkus/commit/95d5904f7cf18c8165b97d8ca03b203d7f69c17e"
},
{
"type": "PACKAGE",
"url": "https://github.com/quarkusio/quarkus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "RestEasy Reactive implementation of Quarkus allows Creation of Temporary File With Insecure Permissions"
}
GHSA-JC2V-4568-J7G2
Vulnerability from github – Published: 2024-08-01 15:32 – Updated: 2024-08-01 15:32A vulnerability was found in Point B Ltd Getscreen Agent 2.19.6 on Windows. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file getscreen.msi of the component Installation. The manipulation leads to creation of temporary file with insecure permissions. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier VDB-273337 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but was not able to provide a technical response in time.
{
"affected": [],
"aliases": [
"CVE-2024-7358"
],
"database_specific": {
"cwe_ids": [
"CWE-378"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-01T14:15:03Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in Point B Ltd Getscreen Agent 2.19.6 on Windows. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file getscreen.msi of the component Installation. The manipulation leads to creation of temporary file with insecure permissions. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier VDB-273337 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but was not able to provide a technical response in time.",
"id": "GHSA-jc2v-4568-j7g2",
"modified": "2024-08-01T15:32:20Z",
"published": "2024-08-01T15:32:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7358"
},
{
"type": "WEB",
"url": "https://github.com/SaumyajeetDas/Vulnerability/tree/main/GetScreen"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.273337"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.273337"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.374979"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JHHR-8858-58W9
Vulnerability from github – Published: 2024-07-19 18:31 – Updated: 2024-08-01 15:32Insecure Permissions vulnerability in lin-CMS v.0.2.0 and before allows a remote attacker to obtain sensitive information via the login method in the UserController.java component.
{
"affected": [],
"aliases": [
"CVE-2024-41601"
],
"database_specific": {
"cwe_ids": [
"CWE-277",
"CWE-378"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-19T17:15:03Z",
"severity": "HIGH"
},
"details": "Insecure Permissions vulnerability in lin-CMS v.0.2.0 and before allows a remote attacker to obtain sensitive information via the login method in the UserController.java component.",
"id": "GHSA-jhhr-8858-58w9",
"modified": "2024-08-01T15:32:06Z",
"published": "2024-07-19T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41601"
},
{
"type": "WEB",
"url": "https://github.com/topsky979/Security-Collections/tree/main/CVE-2024-41601"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JRMH-V64J-MJM9
Vulnerability from github – Published: 2023-02-18 00:31 – Updated: 2025-01-15 18:56Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-2c6g-pfx3-w7h8. This link is maintained to preserve external references.
Original Description
In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jboss.resteasy:resteasy-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.7.8.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jboss.resteasy:resteasy-core"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0.Alpha1"
},
{
"fixed": "5.0.6.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jboss.resteasy:resteasy-core"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0.Beta1"
},
{
"fixed": "6.2.3.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jboss.resteasy:resteasy-multipart-provider"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.7.8.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jboss.resteasy:resteasy-multipart-provider"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0.Alpha1"
},
{
"fixed": "5.0.6.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jboss.resteasy:resteasy-multipart-provider"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0.Beta1"
},
{
"fixed": "6.2.3.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-378"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-18T02:18:19Z",
"nvd_published_at": "2023-02-17T22:15:00Z",
"severity": "MODERATE"
},
"details": "# Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-2c6g-pfx3-w7h8. This link is maintained to preserve external references.\n\n# Original Description\nIn RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.",
"id": "GHSA-jrmh-v64j-mjm9",
"modified": "2025-01-15T18:56:33Z",
"published": "2023-02-18T00:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0482"
},
{
"type": "WEB",
"url": "https://github.com/resteasy/resteasy/pull/3409/commits/807d7456f2137cde8ef7c316707211bf4e542d56"
},
{
"type": "WEB",
"url": "https://github.com/orgs/resteasy/discussions/3415"
},
{
"type": "WEB",
"url": "https://github.com/orgs/resteasy/discussions/3504"
},
{
"type": "WEB",
"url": "https://github.com/orgs/resteasy/discussions/3506"
},
{
"type": "PACKAGE",
"url": "https://github.com/resteasy/Resteasy"
},
{
"type": "WEB",
"url": "https://issues.redhat.com/browse/RESTEASY-3286"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230427-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Insecure Temporary File in RESTEasy",
"withdrawn": "2025-01-15T18:56:33Z"
}
GHSA-M68Q-4HQR-MC6F
Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2026-01-15 12:30A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/containers/podman/v5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-4953"
],
"database_specific": {
"cwe_ids": [
"CWE-378"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-16T20:21:02Z",
"nvd_published_at": "2025-09-16T15:15:45Z",
"severity": "HIGH"
},
"details": "A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.",
"id": "GHSA-m68q-4hqr-mc6f",
"modified": "2026-01-15T12:30:25Z",
"published": "2025-09-16T15:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4953"
},
{
"type": "WEB",
"url": "https://github.com/containers/podman/pull/25173"
},
{
"type": "PACKAGE",
"url": "https://github.com/containers/podman"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2367235"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-4953"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0316"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:2703"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:23113"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22732"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22724"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22695"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22275"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22265"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17669"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:16729"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:16724"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15904"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:8690"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Podman Creates Temporary File with Insecure Permissions"
}
GHSA-P74H-FJJV-JRM8
Vulnerability from github – Published: 2024-07-09 12:30 – Updated: 2024-07-09 12:30A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application does not properly assign rights to temporary files created during its update process. This could allow an authenticated attacker with the 'Manage firmware updates' role to escalate their privileges on the underlying OS level.
{
"affected": [],
"aliases": [
"CVE-2024-39872"
],
"database_specific": {
"cwe_ids": [
"CWE-378"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T12:15:19Z",
"severity": "CRITICAL"
},
"details": "A vulnerability has been identified in SINEMA Remote Connect Server (All versions \u003c V3.2 SP1). The affected application does not properly assign rights to temporary files created during its update process. This could allow an authenticated attacker with the \u0027Manage firmware updates\u0027 role to escalate their privileges on the underlying OS level.",
"id": "GHSA-p74h-fjjv-jrm8",
"modified": "2024-07-09T12:30:57Z",
"published": "2024-07-09T12:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39872"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-381581.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PC22-3G76-GM6J
Vulnerability from github – Published: 2021-03-11 03:09 – Updated: 2021-03-22 23:45Impact
On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory.
This vulnerability is local privilege escalation because the contents of the outputFolder can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.
Java Code
The method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.
https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185
Patches
Fix has been applied to the master branch with:
- https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89
included in release: 2.4.19
References
- CWE-378: Creation of Temporary File With Insecure Permissions
- CWE-379: Creation of Temporary File in Directory with Insecure Permissions
For more information
If you have any questions or comments about this advisory:
- Email us at security@swagger.io
Original vulnerability report
I'm performing OSS security research under the GitHub Security Lab Bug Bounty program. I've been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries.
- https://github.com/github/codeql/pull/4388/files#diff-71d36c0f2bd0b08e32866f873f1c906cdc17277e0ad327c0c6cd2c882f30de4f
- https://github.com/github/codeql/pull/4388/files#diff-1893a18a8bf43c011d61a7889d0139b998a5a78701a30fe7722eddd4c506aaac
- https://github.com/github/codeql/pull/4473
The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users.
This vulnerability exists in the maven plugin.
This vulnerability is distinctly different. This vulnerability is most likely a local privilege escalation vulnerability.
https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185
This vulnerability is very similar to this similar vulnerability I disclosed in the Eclipse Jetty project.
https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6
This is due to a race condition between the call to
deleteand the call tomkdirs.
java // ensure file will always be unique by appending random digits File outputFolder = File.createTempFile("codegen-", "-tmp"); // Attacker knows the full path of the file that will be generated // delete the file that was created outputFolder.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Swagger Code Generator. // and make a directory of the same name // SECURITY VULNERABILITY: Race Condition! - Attacker beats Swagger Code Generator and now owns this directory outputFolder.mkdirs();This vulnerability is local privilege escalation because the contents of the
outputFoldercan be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.The fix here is to switch to the
FilesAPI for creating temporary directories. Which does not contain this race condition, and appropriately sets the correct file permissions.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.swagger:swagger-codegen"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21363"
],
"database_specific": {
"cwe_ids": [
"CWE-378",
"CWE-379"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-11T03:07:41Z",
"nvd_published_at": "2021-03-11T03:15:00Z",
"severity": "LOW"
},
"details": "### Impact\n\nOn Unix like systems, the system\u0027s temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. \n\nThis vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.\n\n#### Java Code\n\nThe method `File.createTempFile` from the JDK is vulnerable to this local information disclosure vulnerability.\n\nhttps://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185\n\n\n### Patches\n\nFix has been applied to the master branch with:\n\n* https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89\n\nincluded in release: 2.4.19\n\n\n### References\n\n* [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n* [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Email us at [security@swagger.io](mailto:security@swagger.io)\n\n#### Original vulnerability report\n\n\u003e I\u0027m performing OSS security research under the GitHub Security Lab Bug Bounty program.\n\u003e I\u0027ve been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries.\n\u003e \n\u003e - https://github.com/github/codeql/pull/4388/files#diff-71d36c0f2bd0b08e32866f873f1c906cdc17277e0ad327c0c6cd2c882f30de4f\n\u003e - https://github.com/github/codeql/pull/4388/files#diff-1893a18a8bf43c011d61a7889d0139b998a5a78701a30fe7722eddd4c506aaac\n\u003e - https://github.com/github/codeql/pull/4473\n\u003e \n\u003e The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users.\n\u003e \n\u003e ---\n\u003e \n\u003e This vulnerability exists in the maven plugin.\n\u003e \n\u003e This vulnerability is distinctly different. This vulnerability is most likely a local privilege escalation vulnerability.\n\u003e \n\u003e https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185\n\u003e \n\u003e This vulnerability is very similar to this similar vulnerability I disclosed in the Eclipse Jetty project.\n\u003e \n\u003e https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\n\u003e \n\u003e This is due to a race condition between the call to `delete` and the call to `mkdirs`.\n\u003e \n\u003e ```java\n\u003e // ensure file will always be unique by appending random digits\n\u003e File outputFolder = File.createTempFile(\"codegen-\", \"-tmp\"); // Attacker knows the full path of the file that will be generated\n\u003e // delete the file that was created\n\u003e outputFolder.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Swagger Code Generator.\n\u003e // and make a directory of the same name\n\u003e // SECURITY VULNERABILITY: Race Condition! - Attacker beats Swagger Code Generator and now owns this directory\n\u003e outputFolder.mkdirs();\n\u003e ```\n\u003e \n\u003e This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.\n\u003e \n\u003e The fix here is to switch to the `Files` API for creating temporary directories. Which does not contain this race condition, and appropriately sets the correct file permissions.\n\u003e ",
"id": "GHSA-pc22-3g76-gm6j",
"modified": "2021-03-22T23:45:20Z",
"published": "2021-03-11T03:09:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21363"
},
{
"type": "WEB",
"url": "https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory"
}
Mitigation
Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible.
Mitigation
Ensure that you use proper file permissions. This can be achieved by using a safe temp file function. Temporary files should be writable and readable only by the process that owns the file.
Mitigation
Randomize temporary file names. This can also be achieved by using a safe temp-file function. This will ensure that temporary files will not be created in predictable places.
No CAPEC attack patterns related to this CWE.