CVE-2023-0482

A local attacker on the same system can read temporary files created by RESTEasy during request processing because `File.createTempFile()` does not enforce restrictive permissions [CWE-378]. When RESTEasy processes multipart uploads, file downloads, or DataSource content, it writes data to temporary files that may be readable by other local users. The attacker only needs local shell access to the host and does not require any network-based authentication bypass. No special configuration is needed beyond the default RESTEasy setup.

The vulnerability exists in `DataSourceProvider.java`, `FileProvider.java`, and `Mime4JWorkaround.java` within the RESTEasy framework. These classes used `File.createTempFile()` which creates temporary files with default (often world-readable) permissions. The patches replace these calls with `Files.createTempFile()` from the NIO API, which applies more restrictive permissions by default [patch_id=6636833][patch_id=6636834][patch_id=6636837].

The patches replace `File.createTempFile()` with `java.nio.file.Files.createTempFile()` in `DataSourceProvider`, `FileProvider`, and `Mime4JWorkaround` [patch_id=6636833][patch_id=6636834][patch_id=6636837]. The NIO `Files.createTempFile()` creates temporary files with more restrictive permissions (owner-only read/write on POSIX systems) compared to the legacy `File.createTempFile()`, which could leave files world-readable. Additionally, the patches replace `FileInputStream`/`FileOutputStream` with `Files.newInputStream()`/`Files.newOutputStream()` and update the `TempFileCleanable` and `FileHolder` cleanup classes to use `Files.deleteIfExists()` instead of `File.delete()`. The advisory does not specify any other remediation steps beyond applying these patches.