Common Weakness Enumeration

CWE-377

Allowed-with-Review

Insecure Temporary File

Abstraction: Class · Status: Incomplete

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

170 vulnerabilities reference this CWE, most recent first.

GHSA-772J-XVF9-QPF5

Vulnerability from github – Published: 2022-08-24 00:00 – Updated: 2024-11-26 16:10
VLAI
Summary
ansible-runner vulnerable to Race Condition
Details

A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made use of the private_data_dir. The highest Threat out of this flaw is to integrity and confidentiality.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible-runner"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-377"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-01T22:17:50Z",
    "nvd_published_at": "2022-08-23T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner\u0027s private_data_dir the next time ansible-runner made use of the private_data_dir. The highest Threat out of this flaw is to integrity and confidentiality.",
  "id": "GHSA-772j-xvf9-qpf5",
  "modified": "2024-11-26T16:10:26Z",
  "published": "2022-08-24T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3702"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible-runner/pull/742"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible-runner/pull/742/commits"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible-runner/commit/93e95a3df9021a38010386d07df121392d249253"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2021-3702"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1977965"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible-runner/PYSEC-2022-43068.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ansible-runner vulnerable to Race Condition"
}

GHSA-77G3-3J5W-64W4

Vulnerability from github – Published: 2021-04-07 20:36 – Updated: 2024-09-06 20:16
VLAI
Summary
Exposure of Resource to Wrong Sphere and Insecure Temporary File in Ansible
Details

A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp emains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted ble.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0a1"
            },
            {
              "fixed": "2.7.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0a1"
            },
            {
              "fixed": "2.8.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0a1"
            },
            {
              "fixed": "2.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-10685"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377",
      "CWE-459",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-05T14:11:30Z",
    "nvd_published_at": "2020-05-11T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp emains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted ble.",
  "id": "GHSA-77g3-3j5w-64w4",
  "modified": "2024-09-06T20:16:43Z",
  "published": "2021-04-07T20:36:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10685"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/pull/68433"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/4e1fe80e681fa466626e9dea53efe6b0253ea1b2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/51d2514753544a9d58cd7524e27e696b2c944fb5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/e1273b6faf036ed84e4f4edee85b888a4e256aee"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10685"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-77g3-3j5w-64w4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-1.yaml"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202006-11"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4950"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Exposure of Resource to Wrong Sphere and Insecure Temporary File in Ansible"
}

GHSA-7MCW-XMX3-7P8M

Vulnerability from github – Published: 2023-06-13 18:30 – Updated: 2023-06-21 17:18
VLAI
Summary
Insecure Temporary File in HuTool
Details

Hutool v5.8.17 and below was discovered to contain an information disclosure vulnerability via the File.createTempFile() function at /core/io/FileUtil.java.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "cn.hutool:hutool-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.8.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-33695"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377",
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-14T16:38:27Z",
    "nvd_published_at": "2023-06-13T16:15:13Z",
    "severity": "HIGH"
  },
  "details": "Hutool v5.8.17 and below was discovered to contain an information disclosure vulnerability via the `File.createTempFile()` function at `/core/io/FileUtil.java`.",
  "id": "GHSA-7mcw-xmx3-7p8m",
  "modified": "2023-06-21T17:18:42Z",
  "published": "2023-06-13T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33695"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dromara/hutool/issues/3103"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dromara/hutool/commit/c33550f703f5d1d7dd71ad2992d79a5e5532ce2c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dromara/hutool"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insecure Temporary File in HuTool"
}

GHSA-867Q-77CC-98MV

Vulnerability from github – Published: 2021-04-29 21:51 – Updated: 2021-05-10 19:29
VLAI
Summary
Creation of Temporary File in Directory with Insecure Permissions in the OpenAPI Generator Maven plugin
Details

Impact

Using File.createTempFile in JDK will result in creating and using insecure temporary files that can leave application and system data vulnerable to attacks. This vulnerability only impacts unix-like systems where the local system temporary directory is shared between all users. This vulnerability does not impact Windows or modern versions of MacOS.

OpenAPI Generator Maven plug-in creates insecure temporary files during the code generation process. It creates insecure temporary files to store the OpenAPI specification files provided by the users and these temporary files can be read by any users in the system.

The impact of this vulnerability is information disclosure of the contents of the specification file to other local users.

Patches

The issue has been patched with Files.createTempFile and released in the v5.1.0 stable version.

For more information

If you have any questions or comments about this advisory: * Open an issue in OpenAPI Generator Github repo * Email us at security@openapitools.org

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.openapitools:openapi-generator-maven-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21429"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377",
      "CWE-378",
      "CWE-379",
      "CWE-552"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-27T19:58:51Z",
    "nvd_published_at": "2021-04-27T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nUsing `File.createTempFile` in JDK will result in creating and using insecure temporary files that can leave application and system data vulnerable to attacks. This vulnerability only impacts unix-like systems where the local system temporary directory is shared between all users. This vulnerability does not impact Windows or modern versions of MacOS.\n\nOpenAPI Generator Maven plug-in creates insecure temporary files during the code generation process. It creates insecure temporary files to store the OpenAPI specification files provided by the users and these temporary files can be read by any users in the system.\n\nThe impact of this vulnerability is information disclosure of the contents of the specification file to other local users.\n\n### Patches\nThe issue has been patched with `Files.createTempFile` and released in the v5.1.0 stable version.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [OpenAPI Generator Github repo](https://github.com/openAPITools/openapi-generator/)\n* Email us at [security@openapitools.org](mailto:security@openapitools.org)",
  "id": "GHSA-867q-77cc-98mv",
  "modified": "2021-05-10T19:29:52Z",
  "published": "2021-04-29T21:51:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenAPITools/openapi-generator/security/advisories/GHSA-867q-77cc-98mv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21429"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenAPITools/openapi-generator/pull/8795"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenAPITools/openapi-generator/blob/06ad7a51eff04393203cfa715e54e1fb59d984fe/modules/openapi-generator-maven-plugin/src/main/java/org/openapitools/codegen/plugin/CodeGenMojo.java#L782-L799"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Creation of Temporary File in Directory with Insecure Permissions in the OpenAPI Generator Maven plugin"
}

GHSA-8MPM-Q7MH-8FVH

Vulnerability from github – Published: 2026-03-18 16:09 – Updated: 2026-03-18 16:09
VLAI
Summary
Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing)
Details

Summary

The Capgo CLI writes sensitive local files (.capgo API key file and build credentials JSON) using unsafe file operations that follow symlinks and do not enforce safe permissions. This allows an attacker-controlled repository to cause arbitrary file overwrite on the developer’s machine when the developer runs the CLI inside that repo. Additionally, global build credentials are written with world-readable permissions (664), exposing signing materials on shared systems.

Details

Issue 1 - Arbitrary file overwrite via .capgo symlink (login --local)

  • Location: src/login.ts
  • Behavior: loginInternal(..., { local: true }) performs writeFileSync('.capgo', ...) before validating the API key with verifyUser().
  • No checks are performed to prevent writing through a symlink.
  • Result: if .capgo is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled content (the provided API key string), even when login fails.

Issue 2 - Arbitrary file overwrite via .capgo-credentials.json symlink (build credentials save --local)

  • Location: src/build/credentials.ts (local path is join(cwd(), '.capgo-credentials.json'))
  • Behavior: credentials are written using writeFile() without checking whether the destination is a symlink.
  • Result: if .capgo-credentials.json is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled JSON (including base64-encoded credential material). This occurs even if the user is not logged in / no API key exists.

Issue 3 - Insecure default permissions for global credentials

  • Location: src/build/credentials.ts (global path $HOME/.capgo-credentials/credentials.json)
  • Observed permissions after save: -rw-rw-r-- (664)
  • Impact: credentials file contains sensitive signing material (e.g., Android keystore + Play config; iOS cert/profile/API key in other flows). World/group readability is unsafe on shared hosts and CI runners. Expected minimum: file 0600, directory 0700.

PoC

PoC A: .capgo symlink clobber (writes even when API key invalid)

set -euo pipefail
BASE="/tmp/capgo_cli_poc_$(date +%s)"
HOME_SANDBOX="$BASE/home"
REPO="$BASE/repo"
TARGET="$BASE/clobbered.txt"

mkdir -p "$HOME_SANDBOX" "$REPO"
cd "$REPO"
git init -q

ln -s "$TARGET" .capgo

# This should fail auth, but still overwrites TARGET
HOME="$HOME_SANDBOX" npx --yes @capgo/cli@7.82.0 login "INVALID_KEY_SHOULD_FAIL" --local || true

echo "== TARGET content =="
cat "$TARGET"

Expected: On invalid key, nothing is written; .capgo should never follow symlinks. Observed: TARGET contains INVALID_KEY_SHOULD_FAIL.

PoC B: .capgo-credentials.json symlink clobber (no login required)

set -euo pipefail
BASE="/tmp/capgo_creds_symlink_$(date +%s)"
HOME_SANDBOX="$BASE/home"
REPO="$BASE/repo"
TARGET="$BASE/clobbered_creds.txt"

mkdir -p "$HOME_SANDBOX" "$REPO"
cd "$REPO"
git init -q

ln -s "$TARGET" .capgo-credentials.json

HOME="$HOME_SANDBOX" npx --yes @capgo/cli@7.82.0 build credentials save \
  --local --platform android --appId com.example.app \
  --keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true

echo "== TARGET exists and contains JSON written via symlink =="
ls -la "$TARGET" || true
cat "$TARGET" || true

Expected: Refuse to write if destination is symlink; ideally require safe location and permissions. Observed: TARGET is created/overwritten with credentials JSON.

PoC C: global credentials permissions are world-readable

set -euo pipefail
BASE="/tmp/capgo_creds_perm_$(date +%s)"
HOME_SANDBOX="$BASE/home"
mkdir -p "$HOME_SANDBOX"

HOME="$HOME_SANDBOX" npx --yes @capgo/cli@7.82.0 build credentials save \
  --platform android --appId com.example.app \
  --keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true

CREDS="$HOME_SANDBOX/.capgo-credentials/credentials.json"
ls -la "$CREDS" || true
stat -c '%a %U:%G %n' "$CREDS" || true

Observed: credentials.json created with mode 664 (-rw-rw-r--).

Impact

  • Arbitrary file overwrite (clobber) as the user running the CLI (developer workstation / CI runner).
  • This can cause:

developer environment compromise or sabotage (overwriting config files, scripts, env files) accidental or malicious leakage/destruction of secrets

  • Local secret exposure: global credentials written as 664 allows other local users to read signing material on shared machines.
  • A realistic scenario: a developer runs npx @capgo/cli ... --local inside an untrusted repo/template; the repo contains malicious symlinks.

Suggested remediation

  • Do not write .capgo until after API key validation succeeds.
  • For all secret/config writes:

refuse symlink destinations (lstat + isSymbolicLink) use safe file creation and enforce permissions (0600 for files; 0700 for directories) write atomically (temp file + rename) after safety checks

  • Avoid blindly appending to .gitignore unless it is a regular file (also check for symlink).
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@capgo/cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.84.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-276",
      "CWE-377",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T16:09:42Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nThe Capgo CLI writes sensitive local files (.capgo API key file and build credentials JSON) using unsafe file operations that follow symlinks and do not enforce safe permissions. This allows an attacker-controlled repository to cause arbitrary file overwrite on the developer\u2019s machine when the developer runs the CLI inside that repo. Additionally, global build credentials are written with world-readable permissions (664), exposing signing materials on shared systems.\n\n### Details\nIssue 1 - Arbitrary file overwrite via .capgo symlink (login --local)\n\n- Location: src/login.ts\n- Behavior: loginInternal(..., { local: true }) performs writeFileSync(\u0027.capgo\u0027, ...) before validating the API key with verifyUser().\n- No checks are performed to prevent writing through a symlink.\n- Result: if .capgo is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled content (the provided API key string), even when login fails.\n\nIssue 2 - Arbitrary file overwrite via .capgo-credentials.json symlink (build credentials save --local)\n\n- Location: src/build/credentials.ts (local path is join(cwd(), \u0027.capgo-credentials.json\u0027))\n- Behavior: credentials are written using writeFile() without checking whether the destination is a symlink.\n- Result: if .capgo-credentials.json is a symlink to an arbitrary path, the CLI overwrites the symlink target with attacker-controlled JSON (including base64-encoded credential material). This occurs even if the user is not logged in / no API key exists.\n\nIssue 3 - Insecure default permissions for global credentials\n\n- Location: src/build/credentials.ts (global path $HOME/.capgo-credentials/credentials.json)\n- Observed permissions after save: -rw-rw-r-- (664)\n- Impact: credentials file contains sensitive signing material (e.g., Android keystore + Play config; iOS cert/profile/API key in other flows). World/group readability is unsafe on shared hosts and CI runners. Expected minimum: file 0600, directory 0700.\n\n### PoC\nPoC A: .capgo symlink clobber (writes even when API key invalid)\n```\nset -euo pipefail\nBASE=\"/tmp/capgo_cli_poc_$(date +%s)\"\nHOME_SANDBOX=\"$BASE/home\"\nREPO=\"$BASE/repo\"\nTARGET=\"$BASE/clobbered.txt\"\n\nmkdir -p \"$HOME_SANDBOX\" \"$REPO\"\ncd \"$REPO\"\ngit init -q\n\nln -s \"$TARGET\" .capgo\n\n# This should fail auth, but still overwrites TARGET\nHOME=\"$HOME_SANDBOX\" npx --yes @capgo/cli@7.82.0 login \"INVALID_KEY_SHOULD_FAIL\" --local || true\n\necho \"== TARGET content ==\"\ncat \"$TARGET\"\n```\n_Expected: On invalid key, nothing is written; .capgo should never follow symlinks.\nObserved: TARGET contains INVALID_KEY_SHOULD_FAIL._\n\nPoC B: .capgo-credentials.json symlink clobber (no login required)\n```\nset -euo pipefail\nBASE=\"/tmp/capgo_creds_symlink_$(date +%s)\"\nHOME_SANDBOX=\"$BASE/home\"\nREPO=\"$BASE/repo\"\nTARGET=\"$BASE/clobbered_creds.txt\"\n\nmkdir -p \"$HOME_SANDBOX\" \"$REPO\"\ncd \"$REPO\"\ngit init -q\n\nln -s \"$TARGET\" .capgo-credentials.json\n\nHOME=\"$HOME_SANDBOX\" npx --yes @capgo/cli@7.82.0 build credentials save \\\n  --local --platform android --appId com.example.app \\\n  --keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true\n\necho \"== TARGET exists and contains JSON written via symlink ==\"\nls -la \"$TARGET\" || true\ncat \"$TARGET\" || true\n```\n_Expected: Refuse to write if destination is symlink; ideally require safe location and permissions.\nObserved: TARGET is created/overwritten with credentials JSON._\n\nPoC C: global credentials permissions are world-readable\n```\nset -euo pipefail\nBASE=\"/tmp/capgo_creds_perm_$(date +%s)\"\nHOME_SANDBOX=\"$BASE/home\"\nmkdir -p \"$HOME_SANDBOX\"\n\nHOME=\"$HOME_SANDBOX\" npx --yes @capgo/cli@7.82.0 build credentials save \\\n  --platform android --appId com.example.app \\\n  --keystore /etc/hosts --keystore-alias x --keystore-key-password x --play-config /etc/hosts || true\n\nCREDS=\"$HOME_SANDBOX/.capgo-credentials/credentials.json\"\nls -la \"$CREDS\" || true\nstat -c \u0027%a %U:%G %n\u0027 \"$CREDS\" || true\n```\n_Observed: credentials.json created with mode 664 (-rw-rw-r--)._\n\n### Impact\n\n- Arbitrary file overwrite (clobber) as the user running the CLI (developer workstation / CI runner).\n- This can cause:\n\n\u003edeveloper environment compromise or sabotage (overwriting config files, scripts, env files)\n\u003eaccidental or malicious leakage/destruction of secrets\n\n- Local secret exposure: global credentials written as 664 allows other local users to read signing material on shared machines.\n- A realistic scenario: a developer runs npx @capgo/cli ... --local inside an untrusted repo/template; the repo contains malicious symlinks.\n\n### Suggested remediation\n\n- Do not write .capgo until after API key validation succeeds.\n- For all secret/config writes:\n\n\u003erefuse symlink destinations (lstat + isSymbolicLink)\n\u003euse safe file creation and enforce permissions (0600 for files; 0700 for directories)\n\u003ewrite atomically (temp file + rename) after safety checks\n\n- Avoid blindly appending to .gitignore unless it is a regular file (also check for symlink).",
  "id": "GHSA-8mpm-q7mh-8fvh",
  "modified": "2026-03-18T16:09:42Z",
  "published": "2026-03-18T16:09:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-8mpm-q7mh-8fvh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Cap-go/CLI/commit/b8aa5ccbfad2d7f10f3cdbc00910d4a6aab026b2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Cap-go/capgo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing)"
}

GHSA-8MVW-22R7-W6FQ

Vulnerability from github – Published: 2022-05-05 02:48 – Updated: 2023-03-08 19:28
VLAI
Summary
ruby_parser allows local users to overwrite arbitrary files via symlink attack on temporary file with predictable name
Details

The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "ruby_parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.2"
            },
            {
              "fixed": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2013-0162"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-08T19:28:01Z",
    "nvd_published_at": "2013-03-01T05:40:00Z",
    "severity": "LOW"
  },
  "details": "The `diff_pp` function in `lib/gauntlet_rubyparser.rb` in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in `/tmp`.",
  "id": "GHSA-8mvw-22r7-w6fq",
  "modified": "2023-03-08T19:28:01Z",
  "published": "2022-05-05T02:48:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0162"
    },
    {
      "type": "WEB",
      "url": "https://github.com/seattlerb/ruby_parser/commit/506c7e13cff6f8715385fa8488b621028b4ad280"
    },
    {
      "type": "WEB",
      "url": "https://github.com/seattlerb/ruby_parser/commit/c35acd878d50a8e4ea35933e3fbdc493421d422c"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2013:0544"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2013:0582"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2013-0162"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=892806"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby_parser/CVE-2013-0162.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/seattlerb/ruby_parser"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0544.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0548.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "ruby_parser allows local users to overwrite arbitrary files via symlink attack on temporary file with predictable name"
}

GHSA-8V4G-X6M4-P3QJ

Vulnerability from github – Published: 2024-09-27 09:30 – Updated: 2024-10-09 09:31
VLAI
Details

Products for macOS enables a user logged on to the system to perform a denial-of-service attack, which could be misused to disable the protection of the ESET security product and cause general system slow-down.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-27T09:15:03Z",
    "severity": "MODERATE"
  },
  "details": "Products for macOS enables a\u00a0user logged on to the system to perform a denial-of-service attack, which could be misused to disable the protection of the ESET security product and cause general system slow-down.",
  "id": "GHSA-8v4g-x6m4-p3qj",
  "modified": "2024-10-09T09:31:35Z",
  "published": "2024-09-27T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6654"
    },
    {
      "type": "WEB",
      "url": "https://support.eset.com/en/ca8725-denial-of-service-vulnerability-in-eset-products-for-macos-fixed"
    },
    {
      "type": "WEB",
      "url": "https://support.eset.com/en/ca8725-local-privilege-escalation-vulnerability-in-eset-products-for-macos-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8XCQ-8JHF-W82H

Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-15 21:31
VLAI
Details

Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in /tmp, but this behavior was changed to download them to /tmp where they could be affected by other local users. This behavior was reverted to the original, user-specific directory.
This bug only affects Firefox for macOS and Linux. Other operating systems are unaffected.. This vulnerability affects Firefox ESR < 91.7 and Thunderbird < 91.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-22T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Previously Firefox for macOS and Linux would download temporary files to a user-specific directory in \u003ccode\u003e/tmp\u003c/code\u003e, but this behavior was changed to download them to \u003ccode\u003e/tmp\u003c/code\u003e where they could be affected by other local users. This behavior was reverted to the original, user-specific directory. \u003cbr\u003e*This bug only affects Firefox for macOS and Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR \u003c 91.7 and Thunderbird \u003c 91.7.",
  "id": "GHSA-8xcq-8jhf-w82h",
  "modified": "2025-04-15T21:31:23Z",
  "published": "2022-12-22T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26386"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1752396"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-11"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8XRX-9WJ4-6775

Vulnerability from github – Published: 2026-02-12 00:31 – Updated: 2026-02-13 15:30
VLAI
Details

A logging issue was addressed with improved data redaction. This issue is fixed in watchOS 26.3, iOS 26.3 and iPadOS 26.3, tvOS 26.3, macOS Tahoe 26.3. A user may be able to view sensitive user information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20649"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T23:16:07Z",
    "severity": "HIGH"
  },
  "details": "A logging issue was addressed with improved data redaction. This issue is fixed in watchOS 26.3, iOS 26.3 and iPadOS 26.3, tvOS 26.3, macOS Tahoe 26.3. A user may be able to view sensitive user information.",
  "id": "GHSA-8xrx-9wj4-6775",
  "modified": "2026-02-13T15:30:23Z",
  "published": "2026-02-12T00:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20649"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126346"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126348"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126351"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/126352"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-925R-R6RP-2JJ7

Vulnerability from github – Published: 2022-11-11 19:00 – Updated: 2022-11-16 21:44
VLAI
Summary
ManyDesigns Portofino subject to creation of insecure temporary file
Details

A vulnerability has been found in ManyDesigns Portofino 5.3.2. Affected by this vulnerability is the function createTempDir of the file WarFileLauncher.java. The manipulation leads to creation of temporary file in directory with insecure permissions. Upgrading to version 5.3.3 is able to address this issue. The name of the patch is 94653cb357806c9cf24d8d294e6afea33f8f0775. It is recommended to upgrade the affected component.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.manydesigns:portofino"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3952"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-16T00:00:50Z",
    "nvd_published_at": "2022-11-11T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been found in ManyDesigns Portofino 5.3.2. Affected by this vulnerability is the function createTempDir of the file WarFileLauncher.java. The manipulation leads to creation of temporary file in directory with insecure permissions. Upgrading to version 5.3.3 is able to address this issue. The name of the patch is 94653cb357806c9cf24d8d294e6afea33f8f0775. It is recommended to upgrade the affected component. ",
  "id": "GHSA-925r-r6rp-2jj7",
  "modified": "2022-11-16T21:44:44Z",
  "published": "2022-11-11T19:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3952"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ManyDesigns/Portofino/pull/580"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ManyDesigns/Portofino/commit/94653cb357806c9cf24d8d294e6afea33f8f0775"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ManyDesigns/Portofino"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ManyDesigns/Portofino/releases/tag/v5.3.3"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.213457"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ManyDesigns Portofino subject to creation of insecure temporary file"
}

No mitigation information available for this CWE.

CAPEC-149: Explore for Predictable Temporary File Names

An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target. This involves analyzing naming conventions and storage locations of the temporary files created by a target application. If an attacker can predict the names of temporary files they can use this information to mount other attacks, such as information gathering and symlink attacks.

CAPEC-155: Screen Temporary Files for Sensitive Information

An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache.