CWE-377
Allowed-with-ReviewInsecure Temporary File
Abstraction: Class · Status: Incomplete
Creating and using insecure temporary files can leave application and system data vulnerable to attack.
170 vulnerabilities reference this CWE, most recent first.
GHSA-772J-XVF9-QPF5
Vulnerability from github – Published: 2022-08-24 00:00 – Updated: 2024-11-26 16:10A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made use of the private_data_dir. The highest Threat out of this flaw is to integrity and confidentiality.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible-runner"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3702"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-377"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-01T22:17:50Z",
"nvd_published_at": "2022-08-23T16:15:00Z",
"severity": "MODERATE"
},
"details": "A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner\u0027s private_data_dir the next time ansible-runner made use of the private_data_dir. The highest Threat out of this flaw is to integrity and confidentiality.",
"id": "GHSA-772j-xvf9-qpf5",
"modified": "2024-11-26T16:10:26Z",
"published": "2022-08-24T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3702"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible-runner/pull/742"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible-runner/pull/742/commits"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible-runner/commit/93e95a3df9021a38010386d07df121392d249253"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2021-3702"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1977965"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible-runner/PYSEC-2022-43068.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ansible-runner vulnerable to Race Condition"
}
GHSA-77G3-3J5W-64W4
Vulnerability from github – Published: 2021-04-07 20:36 – Updated: 2024-09-06 20:16A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp emains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted ble.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0a1"
},
{
"fixed": "2.7.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0a1"
},
{
"fixed": "2.8.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0a1"
},
{
"fixed": "2.9.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-10685"
],
"database_specific": {
"cwe_ids": [
"CWE-377",
"CWE-459",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-05T14:11:30Z",
"nvd_published_at": "2020-05-11T14:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp emains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted ble.",
"id": "GHSA-77g3-3j5w-64w4",
"modified": "2024-09-06T20:16:43Z",
"published": "2021-04-07T20:36:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10685"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/pull/68433"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/4e1fe80e681fa466626e9dea53efe6b0253ea1b2"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/51d2514753544a9d58cd7524e27e696b2c944fb5"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/e1273b6faf036ed84e4f4edee85b888a4e256aee"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10685"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-77g3-3j5w-64w4"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-1.yaml"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202006-11"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4950"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Exposure of Resource to Wrong Sphere and Insecure Temporary File in Ansible"
}
GHSA-7MCW-XMX3-7P8M
Vulnerability from github – Published: 2023-06-13 18:30 – Updated: 2023-06-21 17:18Hutool v5.8.17 and below was discovered to contain an information disclosure vulnerability via the File.createTempFile() function at /core/io/FileUtil.java.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "cn.hutool:hutool-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.8.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-33695"
],
"database_specific": {
"cwe_ids": [
"CWE-377",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-14T16:38:27Z",
"nvd_published_at": "2023-06-13T16:15:13Z",
"severity": "HIGH"
},
"details": "Hutool v5.8.17 and below was discovered to contain an information disclosure vulnerability via the `File.createTempFile()` function at `/core/io/FileUtil.java`.",
"id": "GHSA-7mcw-xmx3-7p8m",
"modified": "2023-06-21T17:18:42Z",
"published": "2023-06-13T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33695"
},
{
"type": "WEB",
"url": "https://github.com/dromara/hutool/issues/3103"
},
{
"type": "WEB",
"url": "https://github.com/dromara/hutool/commit/c33550f703f5d1d7dd71ad2992d79a5e5532ce2c"
},
{
"type": "PACKAGE",
"url": "https://github.com/dromara/hutool"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insecure Temporary File in HuTool"
}
GHSA-867Q-77CC-98MV
Vulnerability from github – Published: 2021-04-29 21:51 – Updated: 2021-05-10 19:29Impact
Using File.createTempFile in JDK will result in creating and using insecure temporary files that can leave application and system data vulnerable to attacks. This vulnerability only impacts unix-like systems where the local system temporary directory is shared between all users. This vulnerability does not impact Windows or modern versions of MacOS.
OpenAPI Generator Maven plug-in creates insecure temporary files during the code generation process. It creates insecure temporary files to store the OpenAPI specification files provided by the users and these temporary files can be read by any users in the system.
The impact of this vulnerability is information disclosure of the contents of the specification file to other local users.
Patches
The issue has been patched with Files.createTempFile and released in the v5.1.0 stable version.
For more information
If you have any questions or comments about this advisory: * Open an issue in OpenAPI Generator Github repo * Email us at security@openapitools.org
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.openapitools:openapi-generator-maven-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21429"
],
"database_specific": {
"cwe_ids": [
"CWE-377",
"CWE-378",
"CWE-379",
"CWE-552"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-27T19:58:51Z",
"nvd_published_at": "2021-04-27T20:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nUsing `File.createTempFile` in JDK will result in creating and using insecure temporary files that can leave application and system data vulnerable to attacks. This vulnerability only impacts unix-like systems where the local system temporary directory is shared between all users. This vulnerability does not impact Windows or modern versions of MacOS.\n\nOpenAPI Generator Maven plug-in creates insecure temporary files during the code generation process. It creates insecure temporary files to store the OpenAPI specification files provided by the users and these temporary files can be read by any users in the system.\n\nThe impact of this vulnerability is information disclosure of the contents of the specification file to other local users.\n\n### Patches\nThe issue has been patched with `Files.createTempFile` and released in the v5.1.0 stable version.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [OpenAPI Generator Github repo](https://github.com/openAPITools/openapi-generator/)\n* Email us at [security@openapitools.org](mailto:security@openapitools.org)",
"id": "GHSA-867q-77cc-98mv",
"modified": "2021-05-10T19:29:52Z",
"published": "2021-04-29T21:51:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-867q-77cc-98mv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21429"
},
{
"type": "WEB",
"url": "https://github.com/OpenAPITools/openapi-generator/pull/8795"
},
{
"type": "WEB",
"url": "https://github.com/OpenAPITools/openapi-generator/blob/06ad7a51eff04393203cfa715e54e1fb59d984fe/modules/openapi-generator-maven-plugin/src/main/java/org/openapitools/codegen/plugin/CodeGenMojo.java#L782-L799"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Creation of Temporary File in Directory with Insecure Permissions in the OpenAPI Generator Maven plugin"
}
GHSA-8MPM-Q7MH-8FVH
Vulnerability from github – Published: 2026-03-18 16:09 – Updated: 2026-03-18 16:09Summary
The Capgo CLI writes sensitive local files (.capgo API key file and build credentials JSON) using unsafe file operations that follow symlinks and do not enforce safe permissions. This allows an attacker-controlled repository to cause arbitrary file overwrite on the developer’s machine when the developer runs the CLI inside that repo. Additionally, global build credentials are written with world-readable permissions (664), exposing signing materials on shared systems.
Details
Issue 1 - Arbitrary file overwrite via .capgo symlink (login --local)
- Location: src/login.ts
- Behavior: loginInternal(..., { local: true }) performs writeFileSync('.capgo', ...) before validating the API key with verifyUser().
- No checks are performed to prevent writing through a symlink.
- Result: if .capgo is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled content (the provided API key string), even when login fails.
Issue 2 - Arbitrary file overwrite via .capgo-credentials.json symlink (build credentials save --local)
- Location: src/build/credentials.ts (local path is join(cwd(), '.capgo-credentials.json'))
- Behavior: credentials are written using writeFile() without checking whether the destination is a symlink.
- Result: if .capgo-credentials.json is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled JSON (including base64-encoded credential material). This occurs even if the user is not logged in / no API key exists.
Issue 3 - Insecure default permissions for global credentials
- Location: src/build/credentials.ts (global path $HOME/.capgo-credentials/credentials.json)
- Observed permissions after save: -rw-rw-r-- (664)
- Impact: credentials file contains sensitive signing material (e.g., Android keystore + Play config; iOS cert/profile/API key in other flows). World/group readability is unsafe on shared hosts and CI runners. Expected minimum: file 0600, directory 0700.
PoC
PoC A: .capgo symlink clobber (writes even when API key invalid)
set -euo pipefail
BASE="/tmp/capgo_cli_poc_$(date +%s)"
HOME_SANDBOX="$BASE/home"
REPO="$BASE/repo"
TARGET="$BASE/clobbered.txt"
mkdir -p "$HOME_SANDBOX" "$REPO"
cd "$REPO"
git init -q
ln -s "$TARGET" .capgo
# This should fail auth, but still overwrites TARGET
HOME="$HOME_SANDBOX" npx --yes @capgo/cli@7.82.0 login "INVALID_KEY_SHOULD_FAIL" --local || true
echo "== TARGET content =="
cat "$TARGET"
Expected: On invalid key, nothing is written; .capgo should never follow symlinks. Observed: TARGET contains INVALID_KEY_SHOULD_FAIL.
PoC B: .capgo-credentials.json symlink clobber (no login required)
set -euo pipefail
BASE="/tmp/capgo_creds_symlink_$(date +%s)"
HOME_SANDBOX="$BASE/home"
REPO="$BASE/repo"
TARGET="$BASE/clobbered_creds.txt"
mkdir -p "$HOME_SANDBOX" "$REPO"
cd "$REPO"
git init -q
ln -s "$TARGET" .capgo-credentials.json
HOME="$HOME_SANDBOX" npx --yes @capgo/cli@7.82.0 build credentials save \
--local --platform android --appId com.example.app \
--keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true
echo "== TARGET exists and contains JSON written via symlink =="
ls -la "$TARGET" || true
cat "$TARGET" || true
Expected: Refuse to write if destination is symlink; ideally require safe location and permissions. Observed: TARGET is created/overwritten with credentials JSON.
PoC C: global credentials permissions are world-readable
set -euo pipefail
BASE="/tmp/capgo_creds_perm_$(date +%s)"
HOME_SANDBOX="$BASE/home"
mkdir -p "$HOME_SANDBOX"
HOME="$HOME_SANDBOX" npx --yes @capgo/cli@7.82.0 build credentials save \
--platform android --appId com.example.app \
--keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true
CREDS="$HOME_SANDBOX/.capgo-credentials/credentials.json"
ls -la "$CREDS" || true
stat -c '%a %U:%G %n' "$CREDS" || true
Observed: credentials.json created with mode 664 (-rw-rw-r--).
Impact
- Arbitrary file overwrite (clobber) as the user running the CLI (developer workstation / CI runner).
- This can cause:
developer environment compromise or sabotage (overwriting config files, scripts, env files) accidental or malicious leakage/destruction of secrets
- Local secret exposure: global credentials written as 664 allows other local users to read signing material on shared machines.
- A realistic scenario: a developer runs npx @capgo/cli ... --local inside an untrusted repo/template; the repo contains malicious symlinks.
Suggested remediation
- Do not write .capgo until after API key validation succeeds.
- For all secret/config writes:
refuse symlink destinations (lstat + isSymbolicLink) use safe file creation and enforce permissions (0600 for files; 0700 for directories) write atomically (temp file + rename) after safety checks
- Avoid blindly appending to .gitignore unless it is a regular file (also check for symlink).
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@capgo/cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.84.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-377",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-18T16:09:42Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe Capgo CLI writes sensitive local files (.capgo API key file and build credentials JSON) using unsafe file operations that follow symlinks and do not enforce safe permissions. This allows an attacker-controlled repository to cause arbitrary file overwrite on the developer\u2019s machine when the developer runs the CLI inside that repo. Additionally, global build credentials are written with world-readable permissions (664), exposing signing materials on shared systems.\n\n### Details\nIssue 1 - Arbitrary file overwrite via .capgo symlink (login --local)\n\n- Location: src/login.ts\n- Behavior: loginInternal(..., { local: true }) performs writeFileSync(\u0027.capgo\u0027, ...) before validating the API key with verifyUser().\n- No checks are performed to prevent writing through a symlink.\n- Result: if .capgo is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled content (the provided API key string), even when login fails.\n\nIssue 2 - Arbitrary file overwrite via .capgo-credentials.json symlink (build credentials save --local)\n\n- Location: src/build/credentials.ts (local path is join(cwd(), \u0027.capgo-credentials.json\u0027))\n- Behavior: credentials are written using writeFile() without checking whether the destination is a symlink.\n- Result: if .capgo-credentials.json is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled JSON (including base64-encoded credential material). This occurs even if the user is not logged in / no API key exists.\n\nIssue 3 - Insecure default permissions for global credentials\n\n- Location: src/build/credentials.ts (global path $HOME/.capgo-credentials/credentials.json)\n- Observed permissions after save: -rw-rw-r-- (664)\n- Impact: credentials file contains sensitive signing material (e.g., Android keystore + Play config; iOS cert/profile/API key in other flows). World/group readability is unsafe on shared hosts and CI runners. Expected minimum: file 0600, directory 0700.\n\n### PoC\nPoC A: .capgo symlink clobber (writes even when API key invalid)\n```\nset -euo pipefail\nBASE=\"/tmp/capgo_cli_poc_$(date +%s)\"\nHOME_SANDBOX=\"$BASE/home\"\nREPO=\"$BASE/repo\"\nTARGET=\"$BASE/clobbered.txt\"\n\nmkdir -p \"$HOME_SANDBOX\" \"$REPO\"\ncd \"$REPO\"\ngit init -q\n\nln -s \"$TARGET\" .capgo\n\n# This should fail auth, but still overwrites TARGET\nHOME=\"$HOME_SANDBOX\" npx --yes @capgo/cli@7.82.0 login \"INVALID_KEY_SHOULD_FAIL\" --local || true\n\necho \"== TARGET content ==\"\ncat \"$TARGET\"\n```\n_Expected: On invalid key, nothing is written; .capgo should never follow symlinks.\nObserved: TARGET contains INVALID_KEY_SHOULD_FAIL._\n\nPoC B: .capgo-credentials.json symlink clobber (no login required)\n```\nset -euo pipefail\nBASE=\"/tmp/capgo_creds_symlink_$(date +%s)\"\nHOME_SANDBOX=\"$BASE/home\"\nREPO=\"$BASE/repo\"\nTARGET=\"$BASE/clobbered_creds.txt\"\n\nmkdir -p \"$HOME_SANDBOX\" \"$REPO\"\ncd \"$REPO\"\ngit init -q\n\nln -s \"$TARGET\" .capgo-credentials.json\n\nHOME=\"$HOME_SANDBOX\" npx --yes @capgo/cli@7.82.0 build credentials save \\\n --local --platform android --appId com.example.app \\\n --keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true\n\necho \"== TARGET exists and contains JSON written via symlink ==\"\nls -la \"$TARGET\" || true\ncat \"$TARGET\" || true\n```\n_Expected: Refuse to write if destination is symlink; ideally require safe location and permissions.\nObserved: TARGET is created/overwritten with credentials JSON._\n\nPoC C: global credentials permissions are world-readable\n```\nset -euo pipefail\nBASE=\"/tmp/capgo_creds_perm_$(date +%s)\"\nHOME_SANDBOX=\"$BASE/home\"\nmkdir -p \"$HOME_SANDBOX\"\n\nHOME=\"$HOME_SANDBOX\" npx --yes @capgo/cli@7.82.0 build credentials save \\\n --platform android --appId com.example.app \\\n --keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true\n\nCREDS=\"$HOME_SANDBOX/.capgo-credentials/credentials.json\"\nls -la \"$CREDS\" || true\nstat -c \u0027%a %U:%G %n\u0027 \"$CREDS\" || true\n```\n_Observed: credentials.json created with mode 664 (-rw-rw-r--)._\n\n### Impact\n\n- Arbitrary file overwrite (clobber) as the user running the CLI (developer workstation / CI runner).\n- This can cause:\n\n\u003edeveloper environment compromise or sabotage (overwriting config files, scripts, env files)\n\u003eaccidental or malicious leakage/destruction of secrets\n\n- Local secret exposure: global credentials written as 664 allows other local users to read signing material on shared machines.\n- A realistic scenario: a developer runs npx @capgo/cli ... --local inside an untrusted repo/template; the repo contains malicious symlinks.\n\n### Suggested remediation\n\n- Do not write .capgo until after API key validation succeeds.\n- For all secret/config writes:\n\n\u003erefuse symlink destinations (lstat + isSymbolicLink)\n\u003euse safe file creation and enforce permissions (0600 for files; 0700 for directories)\n\u003ewrite atomically (temp file + rename) after safety checks\n\n- Avoid blindly appending to .gitignore unless it is a regular file (also check for symlink).",
"id": "GHSA-8mpm-q7mh-8fvh",
"modified": "2026-03-18T16:09:42Z",
"published": "2026-03-18T16:09:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-8mpm-q7mh-8fvh"
},
{
"type": "WEB",
"url": "https://github.com/Cap-go/CLI/commit/b8aa5ccbfad2d7f10f3cdbc00910d4a6aab026b2"
},
{
"type": "PACKAGE",
"url": "https://github.com/Cap-go/capgo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing)"
}
GHSA-8MVW-22R7-W6FQ
Vulnerability from github – Published: 2022-05-05 02:48 – Updated: 2023-03-08 19:28The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "ruby_parser"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.2"
},
{
"fixed": "3.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-0162"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-08T19:28:01Z",
"nvd_published_at": "2013-03-01T05:40:00Z",
"severity": "LOW"
},
"details": "The `diff_pp` function in `lib/gauntlet_rubyparser.rb` in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in `/tmp`.",
"id": "GHSA-8mvw-22r7-w6fq",
"modified": "2023-03-08T19:28:01Z",
"published": "2022-05-05T02:48:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0162"
},
{
"type": "WEB",
"url": "https://github.com/seattlerb/ruby_parser/commit/506c7e13cff6f8715385fa8488b621028b4ad280"
},
{
"type": "WEB",
"url": "https://github.com/seattlerb/ruby_parser/commit/c35acd878d50a8e4ea35933e3fbdc493421d422c"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2013:0544"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2013:0582"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2013-0162"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=892806"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby_parser/CVE-2013-0162.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/seattlerb/ruby_parser"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0544.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0548.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "ruby_parser allows local users to overwrite arbitrary files via symlink attack on temporary file with predictable name"
}
GHSA-8V4G-X6M4-P3QJ
Vulnerability from github – Published: 2024-09-27 09:30 – Updated: 2024-10-09 09:31Products for macOS enables a user logged on to the system to perform a denial-of-service attack, which could be misused to disable the protection of the ESET security product and cause general system slow-down.
{
"affected": [],
"aliases": [
"CVE-2024-6654"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-27T09:15:03Z",
"severity": "MODERATE"
},
"details": "Products for macOS enables a\u00a0user logged on to the system to perform a denial-of-service attack, which could be misused to disable the protection of the ESET security product and cause general system slow-down.",
"id": "GHSA-8v4g-x6m4-p3qj",
"modified": "2024-10-09T09:31:35Z",
"published": "2024-09-27T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6654"
},
{
"type": "WEB",
"url": "https://support.eset.com/en/ca8725-denial-of-service-vulnerability-in-eset-products-for-macos-fixed"
},
{
"type": "WEB",
"url": "https://support.eset.com/en/ca8725-local-privilege-escalation-vulnerability-in-eset-products-for-macos-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8XCQ-8JHF-W82H
Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 21:31Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in /tmp, but this behavior was changed to download them to /tmp where they could be affected by other local users. This behavior was reverted to the original, user-specific directory.
This bug only affects Firefox for macOS and Linux. Other operating systems are unaffected.. This vulnerability affects Firefox ESR < 91.7 and Thunderbird < 91.7.
{
"affected": [],
"aliases": [
"CVE-2022-26386"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T20:15:00Z",
"severity": "MODERATE"
},
"details": "Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in \u003ccode\u003e/tmp\u003c/code\u003e, but this behavior was changed to download them to \u003ccode\u003e/tmp\u003c/code\u003e where they could be affected by other local users. This behavior was reverted to the original, user-specific directory. \u003cbr\u003e*This bug only affects Firefox for macOS and Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR \u003c 91.7 and Thunderbird \u003c 91.7.",
"id": "GHSA-8xcq-8jhf-w82h",
"modified": "2025-04-15T21:31:23Z",
"published": "2022-12-22T21:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26386"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1752396"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-11"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2022-12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8XRX-9WJ4-6775
Vulnerability from github – Published: 2026-02-12 00:31 – Updated: 2026-02-13 15:30A logging issue was addressed with improved data redaction. This issue is fixed in watchOS 26.3, iOS 26.3 and iPadOS 26.3, tvOS 26.3, macOS Tahoe 26.3. A user may be able to view sensitive user information.
{
"affected": [],
"aliases": [
"CVE-2026-20649"
],
"database_specific": {
"cwe_ids": [
"CWE-377"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T23:16:07Z",
"severity": "HIGH"
},
"details": "A logging issue was addressed with improved data redaction. This issue is fixed in watchOS 26.3, iOS 26.3 and iPadOS 26.3, tvOS 26.3, macOS Tahoe 26.3. A user may be able to view sensitive user information.",
"id": "GHSA-8xrx-9wj4-6775",
"modified": "2026-02-13T15:30:23Z",
"published": "2026-02-12T00:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20649"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126346"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126348"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126351"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/126352"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-925R-R6RP-2JJ7
Vulnerability from github – Published: 2022-11-11 19:00 – Updated: 2022-11-16 21:44A vulnerability has been found in ManyDesigns Portofino 5.3.2. Affected by this vulnerability is the function createTempDir of the file WarFileLauncher.java. The manipulation leads to creation of temporary file in directory with insecure permissions. Upgrading to version 5.3.3 is able to address this issue. The name of the patch is 94653cb357806c9cf24d8d294e6afea33f8f0775. It is recommended to upgrade the affected component.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.manydesigns:portofino"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-3952"
],
"database_specific": {
"cwe_ids": [
"CWE-377",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-16T00:00:50Z",
"nvd_published_at": "2022-11-11T14:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been found in ManyDesigns Portofino 5.3.2. Affected by this vulnerability is the function createTempDir of the file WarFileLauncher.java. The manipulation leads to creation of temporary file in directory with insecure permissions. Upgrading to version 5.3.3 is able to address this issue. The name of the patch is 94653cb357806c9cf24d8d294e6afea33f8f0775. It is recommended to upgrade the affected component. ",
"id": "GHSA-925r-r6rp-2jj7",
"modified": "2022-11-16T21:44:44Z",
"published": "2022-11-11T19:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3952"
},
{
"type": "WEB",
"url": "https://github.com/ManyDesigns/Portofino/pull/580"
},
{
"type": "WEB",
"url": "https://github.com/ManyDesigns/Portofino/commit/94653cb357806c9cf24d8d294e6afea33f8f0775"
},
{
"type": "WEB",
"url": "https://github.com/ManyDesigns/Portofino"
},
{
"type": "WEB",
"url": "https://github.com/ManyDesigns/Portofino/releases/tag/v5.3.3"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.213457"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "ManyDesigns Portofino subject to creation of insecure temporary file"
}
No mitigation information available for this CWE.
CAPEC-149: Explore for Predictable Temporary File Names
An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target. This involves analyzing naming conventions and storage locations of the temporary files created by a target application. If an attacker can predict the names of temporary files they can use this information to mount other attacks, such as information gathering and symlink attacks.
CAPEC-155: Screen Temporary Files for Sensitive Information
An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache.