Common Weakness Enumeration

CWE-379

Allowed

Creation of Temporary File in Directory with Insecure Permissions

Abstraction: Base · Status: Incomplete

The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

112 vulnerabilities reference this CWE, most recent first.

GHSA-PC22-3G76-GM6J

Vulnerability from github – Published: 2021-03-11 03:09 – Updated: 2021-03-22 23:45
VLAI
Summary
Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory
Details

Impact

On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory.

This vulnerability is local privilege escalation because the contents of the outputFolder can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.

Java Code

The method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.

https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185

Patches

Fix has been applied to the master branch with:

  • https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89

included in release: 2.4.19

References

For more information

If you have any questions or comments about this advisory:

Original vulnerability report

I'm performing OSS security research under the GitHub Security Lab Bug Bounty program. I've been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries.

  • https://github.com/github/codeql/pull/4388/files#diff-71d36c0f2bd0b08e32866f873f1c906cdc17277e0ad327c0c6cd2c882f30de4f
  • https://github.com/github/codeql/pull/4388/files#diff-1893a18a8bf43c011d61a7889d0139b998a5a78701a30fe7722eddd4c506aaac
  • https://github.com/github/codeql/pull/4473

The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users.


This vulnerability exists in the maven plugin.

This vulnerability is distinctly different. This vulnerability is most likely a local privilege escalation vulnerability.

https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185

This vulnerability is very similar to this similar vulnerability I disclosed in the Eclipse Jetty project.

https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6

This is due to a race condition between the call to delete and the call to mkdirs.

java // ensure file will always be unique by appending random digits File outputFolder = File.createTempFile("codegen-", "-tmp"); // Attacker knows the full path of the file that will be generated // delete the file that was created outputFolder.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Swagger Code Generator. // and make a directory of the same name // SECURITY VULNERABILITY: Race Condition! - Attacker beats Swagger Code Generator and now owns this directory outputFolder.mkdirs();

This vulnerability is local privilege escalation because the contents of the outputFolder can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.

The fix here is to switch to the Files API for creating temporary directories. Which does not contain this race condition, and appropriately sets the correct file permissions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.swagger:swagger-codegen"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21363"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-378",
      "CWE-379"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-11T03:07:41Z",
    "nvd_published_at": "2021-03-11T03:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nOn Unix like systems, the system\u0027s temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. \n\nThis vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.\n\n#### Java Code\n\nThe method `File.createTempFile` from the JDK is vulnerable to this local information disclosure vulnerability.\n\nhttps://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185\n\n\n### Patches\n\nFix has been applied to the master branch with:\n\n* https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89\n\nincluded in release: 2.4.19\n\n\n### References\n\n* [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n* [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Email us at [security@swagger.io](mailto:security@swagger.io)\n\n#### Original vulnerability report\n\n\u003e I\u0027m performing OSS security research under the GitHub Security Lab Bug Bounty program.\n\u003e I\u0027ve been using a custom CodeQL query to find local temporary directory vulnerabilities in OSS with three custom CodeQL queries.\n\u003e \n\u003e - https://github.com/github/codeql/pull/4388/files#diff-71d36c0f2bd0b08e32866f873f1c906cdc17277e0ad327c0c6cd2c882f30de4f\n\u003e - https://github.com/github/codeql/pull/4388/files#diff-1893a18a8bf43c011d61a7889d0139b998a5a78701a30fe7722eddd4c506aaac\n\u003e - https://github.com/github/codeql/pull/4473\n\u003e \n\u003e The code generated by the Swagger Generator contains a local information disclosure vulnerability. The system temporary directory, on unix-like systems is shared between multiple users. Information written to this directory, or directories created under this directory that do not correctly set the posix standard permissions can have these directories read/modified by other users.\n\u003e \n\u003e ---\n\u003e \n\u003e This vulnerability exists in the maven plugin.\n\u003e \n\u003e This vulnerability is distinctly different. This vulnerability is most likely a local privilege escalation vulnerability.\n\u003e \n\u003e https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185\n\u003e \n\u003e This vulnerability is very similar to this similar vulnerability I disclosed in the Eclipse Jetty project.\n\u003e \n\u003e https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\n\u003e \n\u003e This is due to a race condition between the call to `delete` and the call to `mkdirs`.\n\u003e \n\u003e ```java\n\u003e // ensure file will always be unique by appending random digits\n\u003e File outputFolder = File.createTempFile(\"codegen-\", \"-tmp\"); // Attacker knows the full path of the file that will be generated\n\u003e // delete the file that was created\n\u003e outputFolder.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Swagger Code Generator.\n\u003e // and make a directory of the same name\n\u003e // SECURITY VULNERABILITY: Race Condition! - Attacker beats Swagger Code Generator and now owns this directory\n\u003e outputFolder.mkdirs();\n\u003e ```\n\u003e \n\u003e This vulnerability is local privilege escalation because the contents of the `outputFolder` can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.\n\u003e \n\u003e The fix here is to switch to the `Files` API for creating temporary directories. Which does not contain this race condition, and appropriately sets the correct file permissions.\n\u003e ",
  "id": "GHSA-pc22-3g76-gm6j",
  "modified": "2021-03-22T23:45:20Z",
  "published": "2021-03-11T03:09:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/swagger-api/swagger-codegen/security/advisories/GHSA-pc22-3g76-gm6j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21363"
    },
    {
      "type": "WEB",
      "url": "https://github.com/swagger-api/swagger-codegen/commit/987ea7a30b463cc239580d6ad166c707ae942a89"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory"
}

GHSA-PMMG-4G9W-JF76

Vulnerability from github – Published: 2023-07-27 06:30 – Updated: 2024-04-04 06:23
VLAI
Details

Dell Power Manager, Versions 3.3 to 3.14 contains an Improper Access Control vulnerability. A low-privileged malicious user may potentially exploit this vulnerability to perform arbitrary code execution with limited access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-379"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-27T05:15:10Z",
    "severity": "HIGH"
  },
  "details": "\nDell Power Manager, Versions 3.3 to 3.14 contains an Improper Access Control vulnerability. A low-privileged malicious user may potentially exploit this vulnerability to perform arbitrary code execution with limited access.\n\n",
  "id": "GHSA-pmmg-4g9w-jf76",
  "modified": "2024-04-04T06:23:43Z",
  "published": "2023-07-27T06:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32450"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000215215/dsa-2023-181-dell-power-manager-security-update-for-an-improper-access-control-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q89F-4FM5-5X46

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15
VLAI
Details

Adobe Digital Editions 4.5.11.187646 (and earlier) are affected by a privilege escalation vulnerability in the Digital Editions installer. An authenticated attacker could leverage this vulnerability to escalate privileges. User interaction is required before product installation to abuse this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39828"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-379"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-27T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Digital Editions 4.5.11.187646 (and earlier) are affected by a privilege escalation vulnerability in the Digital Editions installer. An authenticated attacker could leverage this vulnerability to escalate privileges. User interaction is required before product installation to abuse this vulnerability.",
  "id": "GHSA-q89f-4fm5-5x46",
  "modified": "2022-05-24T19:15:46Z",
  "published": "2022-05-24T19:15:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39828"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/Digital-Editions/apsb21-80.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-R2VX-JCP9-XJ38

Vulnerability from github – Published: 2023-04-12 21:30 – Updated: 2023-04-12 21:30
VLAI
Details

Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could result in privilege escalation in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26396"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-379"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-12T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by a Creation of Temporary File in Directory with Incorrect Permissions vulnerability that could result in privilege escalation in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-r2vx-jcp9-xj38",
  "modified": "2023-04-12T21:30:19Z",
  "published": "2023-04-12T21:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26396"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb23-24.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RCJJ-H6GH-JF3R

Vulnerability from github – Published: 2020-12-09 19:03 – Updated: 2024-10-17 16:18
VLAI
Summary
Information Disclosure in Apache Groovy
Details

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.codehaus.groovy:groovy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.4.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.codehaus.groovy:groovy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.codehaus.groovy:groovy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.codehaus.groovy:groovy-all"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.4.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.codehaus.groovy:groovy-all"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.codehaus.groovy:groovy-all"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-17521"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-379"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-12-09T19:02:34Z",
    "nvd_published_at": "2020-12-07T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy\u0027s implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.",
  "id": "GHSA-rcjj-h6gh-jf3r",
  "modified": "2024-10-17T16:18:50Z",
  "published": "2020-12-09T19:03:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17521"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/groovy/pull/1425"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/groovy/commit/bcbe5c4c76db83736166530647c024ac1e47ef28"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/groovy"
    },
    {
      "type": "WEB",
      "url": "https://groovy-lang.org/security.html#CVE-2020-17521"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08@%3Cdev.atlas.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465@%3Cnotifications.groovy.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3@%3Cdev.atlas.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20201218-0006"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Information Disclosure in Apache Groovy"
}

GHSA-VP9F-3RQH-83PC

Vulnerability from github – Published: 2024-01-25 18:30 – Updated: 2024-01-25 18:30
VLAI
Details

The C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe process creates a folder at C:\Windows\Temp~nsu.tmp and copies itself to it as Au_.exe. The C:\Windows\Temp~nsu.tmp\Au_.exe file is automatically launched as SYSTEM when the system reboots or when a standard user runs an MSI repair using Splashtop Streamer’s Windows Installer. Since the C:\Windows\Temp~nsu.tmp folder inherits permissions from C:\Windows\Temp and Au_.exe is susceptible to DLL hijacking, standard users can write a malicious DLL to it and elevate their privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3181"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-379"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-25T16:15:07Z",
    "severity": "HIGH"
  },
  "details": "The C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\uninst.exe process creates a folder at C:\\Windows\\Temp~nsu.tmp and copies itself to it as Au_.exe. The C:\\Windows\\Temp~nsu.tmp\\Au_.exe file is automatically launched as SYSTEM when the system reboots or when a standard user runs an MSI repair using Splashtop Streamer\u2019s Windows Installer. Since the C:\\Windows\\Temp~nsu.tmp folder inherits permissions from C:\\Windows\\Temp and Au_.exe is susceptible to DLL hijacking, standard users can write a malicious DLL to it and elevate their privileges.",
  "id": "GHSA-vp9f-3rqh-83pc",
  "modified": "2024-01-25T18:30:50Z",
  "published": "2024-01-25T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3181"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0015.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WC69-M7G2-2PCM

Vulnerability from github – Published: 2025-01-02 18:30 – Updated: 2025-10-07 15:30
VLAI
Details

A vulnerability in Forescout SecureConnector v11.3.07.0109 on Windows allows

unauthenticated user to modify compliance scripts due to insecure temporary directory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-379"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-02T16:15:08Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in Forescout SecureConnector v11.3.07.0109\u00a0on Windows allows \n\nunauthenticated user to modify compliance scripts due to insecure temporary directory.",
  "id": "GHSA-wc69-m7g2-2pcm",
  "modified": "2025-10-07T15:30:24Z",
  "published": "2025-01-02T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9950"
    },
    {
      "type": "WEB",
      "url": "https://support.forescout.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-WCRW-WHFV-8V36

Vulnerability from github – Published: 2025-12-09 00:31 – Updated: 2025-12-09 00:31
VLAI
Details

IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may expose sensitive information to an authenticated user due to race condition attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-33111"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-379"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-08T22:15:51Z",
    "severity": "MODERATE"
  },
  "details": "IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 is vulnerable to creation of temporary files without atomic operations which may expose sensitive information to an authenticated user due to race condition attacks.",
  "id": "GHSA-wcrw-whfv-8v36",
  "modified": "2025-12-09T00:31:16Z",
  "published": "2025-12-09T00:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33111"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7253273"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQH9-PJHR-MH8Q

Vulnerability from github – Published: 2026-04-05 21:30 – Updated: 2026-04-05 21:30
VLAI
Details

WinRAR 5.61 contains a denial of service vulnerability that allows local attackers to crash the application by placing a malformed winrar.lng language file in the installation directory. Attackers can trigger the crash by opening an archive and pressing the test button, causing an access violation at memory address 004F1DB8 when the application attempts to read invalid data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25677"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-379"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-05T21:16:45Z",
    "severity": "MODERATE"
  },
  "details": "WinRAR 5.61 contains a denial of service vulnerability that allows local attackers to crash the application by placing a malformed winrar.lng language file in the installation directory. Attackers can trigger the crash by opening an archive and pressing the test button, causing an access violation at memory address 004F1DB8 when the application attempts to read invalid data.",
  "id": "GHSA-wqh9-pjhr-mh8q",
  "modified": "2026-04-05T21:30:20Z",
  "published": "2026-04-05T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25677"
    },
    {
      "type": "WEB",
      "url": "https://win-rar.com/predownload.html?spV=true\u0026subD=true\u0026f=wrar561tr.exe"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46432"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/winrar-denial-of-service-via-malformed-language-file"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-WXVP-8Q8H-R6RR

Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2024-01-17 15:47
VLAI
Summary
Moodle Double-Caches Content, Potentially Writing to a File System's Tmp Directory
Details

The theme implementation in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 triggers duplicate caching of Cascading Style Sheets (CSS) and JavaScript content, which allows remote attackers to bypass intended access restrictions and write to an operating-system temporary directory via unspecified vectors.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0"
            },
            {
              "fixed": "2.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2011-4293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-379"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-17T15:47:30Z",
    "nvd_published_at": "2012-07-16T10:28:00Z",
    "severity": "MODERATE"
  },
  "details": "The theme implementation in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 triggers duplicate caching of Cascading Style Sheets (CSS) and JavaScript content, which allows remote attackers to bypass intended access restrictions and write to an operating-system temporary directory via unspecified vectors.",
  "id": "GHSA-wxvp-8q8h-r6rr",
  "modified": "2024-01-17T15:47:30Z",
  "published": "2022-05-13T01:13:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4293"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moodle/moodle/commit/05f4555422278190ec24a88466ac43c914a7e5d6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moodle/moodle/commit/9a380fbb53429713b3c422a3146456dc97205329"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moodle/moodle/commit/e1c2a211f259821910be2cba23679d4176fb00a3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moodle/moodle"
    },
    {
      "type": "WEB",
      "url": "http://git.moodle.org/gw?p=moodle.git;a=commit;h=e1c2a211f259821910be2cba23679d4176fb00a3"
    },
    {
      "type": "WEB",
      "url": "http://moodle.org/mod/forum/discuss.php?d=182736"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2011/11/14/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Moodle Double-Caches Content, Potentially Writing to a File System\u0027s Tmp Directory"
}

Mitigation
Requirements

Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible.

Mitigation
Implementation

Try to store sensitive tempfiles in a directory which is not world readable -- i.e., per-user directories.

Mitigation
Implementation

Avoid using vulnerable temp file functions.

No CAPEC attack patterns related to this CWE.