Описание
Insecure Temporary File in RESTEasy
Impact
In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.
Patches
Fixed in the following pull requests:
- https://github.com/resteasy/resteasy/pull/3409 (7.0.0.Alpha1)
- https://github.com/resteasy/resteasy/pull/3423 (6.2.3.Final)
- https://github.com/resteasy/resteasy/pull/3412 (5.0.6.Final)
- https://github.com/resteasy/resteasy/pull/3413 (4.7.8.Final)
- https://github.com/resteasy/resteasy/pull/3410 (3.15.5.Final)
Workarounds
There is no workaround for this issue.
References
Ссылки
- https://github.com/resteasy/resteasy/security/advisories/GHSA-2c6g-pfx3-w7h8
- https://nvd.nist.gov/vuln/detail/CVE-2023-0482
- https://github.com/resteasy/resteasy/pull/3409
- https://github.com/resteasy/resteasy/pull/3409/commits/807d7456f2137cde8ef7c316707211bf4e542d56
- https://github.com/resteasy/resteasy/pull/3410
- https://github.com/resteasy/resteasy/pull/3412
- https://github.com/resteasy/resteasy/pull/3413
- https://github.com/resteasy/resteasy/pull/3423
- https://bugzilla.redhat.com/show_bug.cgi?id=2166004
- https://github.com/orgs/resteasy/discussions/3415
- https://github.com/orgs/resteasy/discussions/3504
- https://github.com/orgs/resteasy/discussions/3506
- https://issues.redhat.com/browse/RESTEASY-3286
- https://security.netapp.com/advisory/ntap-20230427-0001
Пакеты
org.jboss.resteasy:resteasy-core
>= 6.0.0.Beta1, < 6.2.3.Final
6.2.3.Final
org.jboss.resteasy:resteasy-core
>= 5.0.0.Alpha1, < 5.0.6.Final
5.0.6.Final
org.jboss.resteasy:resteasy-core
>= 4.0.0.Beta1, < 4.7.8.Final
4.7.8.Final
org.jboss.resteasy:resteasy-multipart-provider
>= 6.0.0.Beta1, < 6.2.3.Final
6.2.3.Final
org.jboss.resteasy:resteasy-multipart-provider
>= 5.0.0.Alpha1, < 5.0.6.Final
5.0.6.Final
org.jboss.resteasy:resteasy-multipart-provider
>= 4.0.0.Beta1, < 4.7.8.Final
4.7.8.Final
org.jboss.resteasy:resteasy-multipart-provider
< 3.15.4.Final
3.15.5.Final
org.jboss.resteasy:resteasy-core
< 3.15.4.Final
3.15.5.Final
Связанные уязвимости
In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.
In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.
In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.
In RESTEasy the insecure File.createTempFile() is used in the DataSour ...
Уязвимость программного средства RESTEasy, связанная с cозданием временных файлов с небезопасными разрешениями, позволяющая нарушителю получить доступ к конфиденциальной информации