VYPR
← All advisories
Critical severityNVD Advisory· Published Jan 6, 2023· Updated Apr 10, 2025

devent globalpom-utils FileResourceManagerProvider.java createTmpDir temp file

CVE-2018-25068

Description

A vulnerability has been found in devent globalpom-utils up to 4.5.0 and classified as critical. This vulnerability affects the function createTmpDir of the file globalpomutils-fileresources/src/main/java/com/anrisoftware/globalpom/fileresourcemanager/FileResourceManagerProvider.java. The manipulation leads to insecure temporary file. The attack can be initiated remotely. Upgrading to version 4.5.1 is able to address this issue. The patch is identified as 77a820bac2f68e662ce261ecb050c643bd7ee560. It is recommended to upgrade the affected component. VDB-217570 is the identifier assigned to this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A critical vulnerability in globalpom-utils versions ≤4.5.0 allows remote attackers to create insecure temporary files via the createTmpDir function.

Vulnerability

The vulnerability resides in the createTmpDir function within FileResourceManagerProvider.java of the globalpom-utils library up to version 4.5.0. This function creates temporary files in an insecure manner, potentially allowing an attacker to influence the file path or contents [1][2]. The issue is classified as critical due to the remote attack vector and the potential for severe impact.

Exploitation

The attack can be initiated remotely without authentication, making it exploitable over a network. By manipulating the temporary file creation process, an attacker can achieve insecure temporary file handling [1]. No special privileges or user interaction are required, increasing the risk of exploitation.

Impact

Successful exploitation could lead to arbitrary file write or code execution, depending on how the temporary file is used. This could compromise the confidentiality, integrity, and availability of the system [1]. The vulnerability is rated critical, emphasizing the need for immediate remediation.

Mitigation

The issue is fixed in version 4.5.1. Users are strongly advised to upgrade to this version or later. The patch is identified by commit 77a820bac2f68e662ce261ecb050c643bd7ee560 [2], and the release is tagged as globalpomutils-4.5.1 [3]. No workarounds have been provided.

References
  1. NVD - CVE-2018-25068
  2. Feature #4100 Fix critical Vulnerability · devent/globalpom-utils@77a820b
  3. Release globalpomutils-4.5.1 · devent/globalpom-utils

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.anrisoftware.globalpom:globalpomutilsMaven
< 4.5.14.5.1

Affected products

3

Patches

1
77a820bac2f6

Feature #4100 Fix critical Vulnerability

https://github.com/devent/globalpom-utilsErwin MüllerOct 10, 2018via ghsa
commit
1 file changed · +57 78
  • globalpomutils-fileresources/src/main/java/com/anrisoftware/globalpom/fileresourcemanager/FileResourceManagerProvider.java+57 78 modified
    @@ -1,18 +1,3 @@
-/*
- * Copyright 2016 Erwin Müller <erwin.mueller@deventm.org>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
 package com.anrisoftware.globalpom.fileresourcemanager;
 
 /*-
@@ -24,9 +9,9 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -39,6 +24,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.nio.file.Files;
 
 import javax.inject.Inject;
 
@@ -51,77 +37,70 @@
 /**
  * Provides the file resource manager for ACID file operations. The store
  * directory must be set before creating the manager.
- * 
+ *
  * @author Erwin Mueller, erwin.mueller@deventm.org
  * @since 1.8
  */
-public class FileResourceManagerProvider implements
-		Provider<FileResourceManager> {
+public class FileResourceManagerProvider implements Provider<FileResourceManager> {
 
-	@Inject
-	private FileResourceManagerProviderLogger log;
+    @Inject
+    private FileResourceManagerProviderLogger log;
 
-	private String storeDir;
+    private String storeDir;
 
-	private boolean debug;
+    private boolean debug;
 
-	/**
-	 * Sets debug enabled for the file resource manager.
-	 * 
-	 * @param debug
-	 *            set to {@code true} to enable debug before creating the
-	 *            manager.
-	 */
-	public void setDebug(boolean debug) {
-		this.debug = debug;
-	}
+    /**
+     * Sets debug enabled for the file resource manager.
+     *
+     * @param debug set to {@code true} to enable debug before creating the manager.
+     */
+    public void setDebug(boolean debug) {
+        this.debug = debug;
+    }
 
-	/**
-	 * Sets the store directory path for the file resource manager.
-	 * 
-	 * @param path
-	 *            the store directory {@link File} path.
-	 */
-	public void setStoreDir(File path) {
-		setStoreDir(path.getAbsolutePath());
-	}
+    /**
+     * Sets the store directory path for the file resource manager.
+     *
+     * @param path the store directory {@link File} path.
+     */
+    public void setStoreDir(File path) {
+        setStoreDir(path.getAbsolutePath());
+    }
 
-	/**
-	 * Sets the store directory path for the file resource manager.
-	 * 
-	 * @param path
-	 *            the store directory path.
-	 */
-	public void setStoreDir(String path) {
-		this.storeDir = path;
-	}
+    /**
+     * Sets the store directory path for the file resource manager.
+     *
+     * @param path the store directory path.
+     */
+    public void setStoreDir(String path) {
+        this.storeDir = path;
+    }
 
-	@Override
-	public FileResourceManager get() {
-		String workDir = createTmpDir();
-		boolean urlEncodePath = false;
-		final ByteArrayOutputStream stream = new ByteArrayOutputStream(1024);
-		PrintWriter printWriter = new PrintWriter(stream) {
-			@Override
-			public void flush() {
-				super.flush();
-				log.logFileResourceMessage(stream.toString());
-			}
-		};
-		LoggerFacade logger = new PrintWriterLogger(printWriter, "", debug);
-		return new FileResourceManager(storeDir, workDir, urlEncodePath, logger);
-	}
+    @Override
+    public FileResourceManager get() {
+        String workDir = createTmpDir();
+        boolean urlEncodePath = false;
+        final ByteArrayOutputStream stream = new ByteArrayOutputStream(1024);
+        PrintWriter printWriter = new PrintWriter(stream) {
+            @Override
+            public void flush() {
+                super.flush();
+                log.logFileResourceMessage(stream.toString());
+            }
+        };
+        LoggerFacade logger = new PrintWriterLogger(printWriter, "", debug);
+        return new FileResourceManager(storeDir, workDir, urlEncodePath, logger);
+    }
 
-	private String createTmpDir() {
-		try {
-			File tmp = File.createTempFile("fileresourcemanager", null);
-			tmp.delete();
-			tmp.mkdir();
-			String workDir = tmp.getAbsolutePath();
-			return workDir;
-		} catch (IOException e) {
-			throw log.errorCreateWorkDir(e);
-		}
-	}
+    private String createTmpDir() {
+        try {
+            File tmp = Files.createTempDirectory("fileresourcemanager").toFile();
+            String workDir = tmp.getAbsolutePath();
+            return workDir;
+        } catch (IOException e) {
+            throw log.errorCreateWorkDir(e);
+        }
+    }
 
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.