Common Weakness Enumeration

CWE-377

Allowed-with-Review

Insecure Temporary File

Abstraction: Class · Status: Incomplete

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

170 vulnerabilities reference this CWE, most recent first.

GHSA-3CGW-CPCX-P7G4

Vulnerability from github – Published: 2026-02-12 00:31 – Updated: 2026-02-17 15:31
VLAI
Details

An issue was addressed with improved handling of temporary files. This issue is fixed in macOS Tahoe 26.3. An app may be able to access user-sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T23:16:05Z",
    "severity": "MODERATE"
  },
  "details": "An issue was addressed with improved handling of temporary files. This issue is fixed in macOS Tahoe 26.3. An app may be able to access user-sensitive data.",
  "id": "GHSA-3cgw-cpcx-p7g4",
  "modified": "2026-02-17T15:31:34Z",
  "published": "2026-02-12T00:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20618"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126348"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3J78-4863-937G

Vulnerability from github – Published: 2026-03-25 03:31 – Updated: 2026-03-25 21:30
VLAI
Details

A privacy issue was addressed with improved handling of temporary files. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Tahoe 26.3. An app may be able to access sensitive user data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20651"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T01:17:04Z",
    "severity": "MODERATE"
  },
  "details": "A privacy issue was addressed with improved handling of temporary files. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Tahoe 26.3. An app may be able to access sensitive user data.",
  "id": "GHSA-3j78-4863-937g",
  "modified": "2026-03-25T21:30:28Z",
  "published": "2026-03-25T03:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20651"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126348"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126350"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126795"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-47WV-VHJ2-G66M

Vulnerability from github – Published: 2022-03-29 19:18 – Updated: 2024-09-20 21:30
VLAI
Summary
Use of insecure temporary file in Horovod
Details

Impact

The insecure tempfile.mktemp() is used when Horovod is run in an LSF job with jsrun. In that situation, a jsrun rank file is created with mktemp, which could be hijacked by another process to read or manipulate the content.

This issue does not impact the use of MPI, Gloo, Spark or Ray.

Patches

The problem has been fixed in b96ecae4.

Workarounds

The rank file is not created when binding_args are provided in the Settings instance.

References

Please see https://github.com/horovod/horovod/pull/3358 for details.

For more information

If you have any questions or comments about this advisory: * Open an issue in https://github.com/horovod/horovod

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "horovod"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-29T19:18:32Z",
    "nvd_published_at": "2022-03-24T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe insecure `tempfile.mktemp()` is used when Horovod is run in an LSF job with `jsrun`. In that situation, a jsrun rank file is created with `mktemp`, which could be hijacked by another process to read or manipulate the content.\n\nThis issue does not impact the use of MPI, Gloo, Spark or Ray.\n\n### Patches\nThe problem has been fixed in [b96ecae4](https://github.com/horovod/horovod/commit/b96ecae4dc69fc0a83c7c2d3f1dde600c20a1b41).\n\n### Workarounds\nThe rank file is not created when `binding_args` are provided in the `Settings` instance.\n\n### References\nPlease see https://github.com/horovod/horovod/pull/3358 for details.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [https://github.com/horovod/horovod](https://github.com/horovod/horovod/issues/new/choose)",
  "id": "GHSA-47wv-vhj2-g66m",
  "modified": "2024-09-20T21:30:25Z",
  "published": "2022-03-29T19:18:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/horovod/horovod/security/advisories/GHSA-47wv-vhj2-g66m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0315"
    },
    {
      "type": "WEB",
      "url": "https://github.com/horovod/horovod/pull/3358"
    },
    {
      "type": "WEB",
      "url": "https://github.com/horovod/horovod/commit/b96ecae4dc69fc0a83c7c2d3f1dde600c20a1b41"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-47wv-vhj2-g66m"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/horovod/horovod"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/horovod/PYSEC-2022-175.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/7e50397b-dd63-4bb5-b56d-704094a7da45"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Use of insecure temporary file in Horovod"
}

GHSA-4VP2-6Q8C-PVQ2

Vulnerability from github – Published: 2026-06-25 16:53 – Updated: 2026-06-25 16:53
VLAI
Summary
@anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write
Details

The Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file with the response text. Exploiting this required a local unprivileged user on the same system and a privileged user to run the /copy command.

Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.

Claude Code thanks hackerone.com/c_h4ck_0 for reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@anthropic-ai/claude-code"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.59"
            },
            {
              "fixed": "2.1.128"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46406"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-377",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-25T16:53:00Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The Claude Code `/copy` command wrote responses to a hardcoded, predictable path (`/tmp/claude/response.md`) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user\u0027s Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file with the response text. Exploiting this required a local unprivileged user on the same system and a privileged user to run the `/copy` command.\n\nUsers on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.\n\nClaude Code thanks hackerone.com/c_h4ck_0 for reporting this issue.",
  "id": "GHSA-4vp2-6q8c-pvq2",
  "modified": "2026-06-25T16:53:00Z",
  "published": "2026-06-25T16:53:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-4vp2-6q8c-pvq2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/anthropics/claude-code"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write"
}

GHSA-53WM-97P6-582F

Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2026-06-05 17:53
VLAI
Summary
instack-undercloud vulnerable to symlink attack on tmp files
Details

A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "instack-undercloud"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "7.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-7549"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-22T22:48:23Z",
    "nvd_published_at": "2017-09-21T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.",
  "id": "GHSA-53wm-97p6-582f",
  "modified": "2026-06-05T17:53:43Z",
  "published": "2022-05-13T01:07:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7549"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2557"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2649"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2687"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2693"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2726"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2017-7549"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1477403"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/instack/PYSEC-2017-152.yaml"
    },
    {
      "type": "WEB",
      "url": "https://opendev.org/openstack/instack-undercloud"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20170907040549/http://www.securityfocus.com/bid/100407"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100407"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "instack-undercloud vulnerable to symlink attack on tmp files"
}

GHSA-5MP3-VQFJ-W7MQ

Vulnerability from github – Published: 2022-09-21 00:00 – Updated: 2022-09-23 00:00
VLAI
Details

In the ebuild package through smokeping-2.7.3-r1 for SmokePing on Gentoo, the initscript uses a PID file that is writable by the smokeping user. By writing arbitrary PIDs to that file, the smokeping user can cause a denial of service to arbitrary PIDs when the service is stopped.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-20147"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-20T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In the ebuild package through smokeping-2.7.3-r1 for SmokePing on Gentoo, the initscript uses a PID file that is writable by the smokeping user. By writing arbitrary PIDs to that file, the smokeping user can cause a denial of service to arbitrary PIDs when the service is stopped.",
  "id": "GHSA-5mp3-vqfj-w7mq",
  "modified": "2022-09-23T00:00:43Z",
  "published": "2022-09-21T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20147"
    },
    {
      "type": "WEB",
      "url": "https://bugs.gentoo.org/631140"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202209-08"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5QVP-PR9F-2G2V

Vulnerability from github – Published: 2026-04-01 20:52 – Updated: 2026-04-01 20:52
VLAI
Summary
poetry-plugin-tweak-dependencies-version affected by CVE-2026-25645
Details

Pin vulnerable version of requests library

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.5.5"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "poetry-plugin-tweak-dependencies-version"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T20:52:20Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Pin vulnerable version of requests library",
  "id": "GHSA-5qvp-pr9f-2g2v",
  "modified": "2026-04-01T20:52:21Z",
  "published": "2026-04-01T20:52:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sbrunner/poetry-plugin-tweak-dependencies-version/security/advisories/GHSA-5qvp-pr9f-2g2v"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sbrunner/poetry-plugin-tweak-dependencies-version/commit/54b5784d89f36cd413a8bc5032ab0a96438dcae3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sbrunner/poetry-plugin-tweak-dependencies-version"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sbrunner/poetry-plugin-tweak-dependencies-version/releases/tag/1.5.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "poetry-plugin-tweak-dependencies-version affected by CVE-2026-25645"
}

GHSA-67V8-88JF-4X6Q

Vulnerability from github – Published: 2026-06-29 12:31 – Updated: 2026-07-01 15:34
VLAI
Details

GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite.

This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41991"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-29T12:16:29Z",
    "severity": "LOW"
  },
  "details": "GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user\u2019s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks.\nA local attacker can pre\u2011create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time\u2011of\u2011check to time\u2011of\u2011use (TOCTOU) condition that allows arbitrary file overwrite.\n\nThis issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269",
  "id": "GHSA-67v8-88jf-4x6q",
  "modified": "2026-07-01T15:34:56Z",
  "published": "2026-06-29T12:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41991"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2026/04/CVE-2026-41991"
    },
    {
      "type": "WEB",
      "url": "https://cgit.git.savannah.gnu.org/cgit/gzip.git/commit/?id=4e6f8b24ab823146ab8776f0b7fe486ab34d4269"
    },
    {
      "type": "WEB",
      "url": "https://www.gnu.org/software/gzip"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6WXM-MPQJ-6JPF

Vulnerability from github – Published: 2025-01-28 17:29 – Updated: 2025-02-18 22:36
VLAI
Summary
Insecure Temporary File usage in github.com/golang/glog
Details

When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/golang/glog"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45339"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377",
      "CWE-61"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-28T17:29:03Z",
    "nvd_published_at": "2025-01-28T02:15:28Z",
    "severity": "MODERATE"
  },
  "details": "When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process\u0027s log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.",
  "id": "GHSA-6wxm-mpqj-6jpf",
  "modified": "2025-02-18T22:36:58Z",
  "published": "2025-01-28T17:29:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45339"
    },
    {
      "type": "WEB",
      "url": "https://github.com/golang/glog/pull/74"
    },
    {
      "type": "WEB",
      "url": "https://github.com/golang/glog/pull/74/commits/b8741656e406e66d6992bc2c9575e460ecaa0ec2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/golang/glog"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/H-Q4ouHWyKs"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00019.html"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3372"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Insecure Temporary File usage in github.com/golang/glog"
}

GHSA-6XP6-FMC8-PMMR

Vulnerability from github – Published: 2022-03-18 17:50 – Updated: 2022-03-18 17:50
VLAI
Summary
Temporary Directory Hijacking Vulnerability in Keycloak
Details

A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-20202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-17T21:01:15Z",
    "nvd_published_at": "2021-05-12T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity.",
  "id": "GHSA-6xp6-fmc8-pmmr",
  "modified": "2022-03-18T17:50:45Z",
  "published": "2022-03-18T17:50:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-7gf3-89f6-823j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20202"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1922128"
    },
    {
      "type": "WEB",
      "url": "https://issues.redhat.com/browse/KEYCLOAK-17000"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Temporary Directory Hijacking Vulnerability in Keycloak"
}

No mitigation information available for this CWE.

CAPEC-149: Explore for Predictable Temporary File Names

An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target. This involves analyzing naming conventions and storage locations of the temporary files created by a target application. If an attacker can predict the names of temporary files they can use this information to mount other attacks, such as information gathering and symlink attacks.

CAPEC-155: Screen Temporary Files for Sensitive Information

An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache.