CWE-377
Insecure Temporary File
Description
Creating and using insecure temporary files can leave application and system data vulnerable to attack.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-149 · CAPEC-155
CVEs mapped to this weakness (63)
page 1 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-5224 | Cri | 0.57 | 9.8 | 0.05 | Aug 23, 2017 | The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks. | ||
| CVE-2018-3710 | Hig | 0.51 | 7.8 | 0.03 | Mar 21, 2018 | Gitlab Community and Enterprise Editions version 10.3.3 is vulnerable to an Insecure Temporary File in the project import component resulting remote code execution. | ||
| CVE-2025-67223 | Hig | 0.49 | 7.5 | 0.01 | Apr 28, 2026 | The Aranda File Server (AFS) component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and… | ||
| CVE-2026-20649 | Hig | 0.49 | 7.5 | 0.00 | Feb 11, 2026 | A logging issue was addressed with improved data redaction. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, watchOS 26.3. A user may be able to view sensitive user information. | ||
| CVE-2024-49506 | — | Hig | 0.47 | — | 0.00 | Nov 13, 2024 | Insecure creation of temporary files allows local users on systems with non-default configurations to cause denial of service or set the encryption key for a filesystem | |
| CVE-2026-40973 | Hig | 0.46 | 7.0 | 0.00 | Apr 28, 2026 | A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session… | ||
| CVE-2026-20204 | Hig | 0.46 | 7.1 | 0.03 | Apr 15, 2026 | In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles… | ||
| CVE-2026-4822 | Hig | 0.46 | 7.0 | 0.00 | Mar 25, 2026 | A vulnerability was detected in Enter Software Iperius Backup up to 8.7.3. Affected is an unknown function of the file C:\ProgramData\IperiusBackup\Jobs\ of the component Backup Service. Performing a manipulation results in creation of temporary file with insecure permissions.… | ||
| CVE-2026-25701 | Hig | 0.46 | — | 0.00 | Feb 25, 2026 | An Insecure Temporary File vulnerability in openSUSE sdbootutil allows local users to pre-create a directory to achieve various effects like: * gain access to possible private information found in /var/lib/pcrlock.d * manipulate the data backed up in /tmp/pcrlock.d.bak,… | ||
| CVE-2018-1053 | Hig | 0.46 | 7.0 | 0.00 | Feb 9, 2018 | In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade,… | ||
| CVE-2025-61659 | Med | 0.44 | 6.8 | 0.00 | Sep 29, 2025 | bash-git-prompt 2.6.1 through 2.7.1 insecurely uses the /tmp/git-index-private$$ file, which has a predictable name. | ||
| CVE-2024-6654 | Med | 0.44 | — | 0.00 | Sep 27, 2024 | Products for macOS enables a user logged on to the system to perform a denial-of-service attack, which could be misused to disable the protection of the ESET security product and cause general system slow-down. | ||
| CVE-2017-16024 | Med | 0.42 | 6.5 | 0.03 | Jun 4, 2018 | The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain… | ||
| CVE-2017-7549 | Med | 0.42 | 6.4 | 0.00 | Sep 21, 2017 | A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local… | ||
| CVE-2026-45384 | Med | 0.40 | 6.1 | 0.00 | Jun 10, 2026 | bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, there is an arbitrary file overwrite vulnerability via symlink attack on predictable temp files during archive update. This issue has been patched in… | ||
| CVE-2026-40979 | Med | 0.40 | 6.1 | 0.00 | Apr 28, 2026 | In Spring AI, having access to a shared environment can expose the ONNX model used by the application. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5) | ||
| CVE-2016-9595 | Hig | 0.40 | 7.3 | 0.00 | Jul 27, 2018 | A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. | ||
| CVE-2026-49135 | Hig | 0.39 | 7.1 | 0.00 | Jun 1, 2026 | CodexBar prior to 0.32.0 contains an insecure temporary file handling vulnerability that allows local attackers to access sensitive credentials or tamper with build artifacts by exploiting predictable file paths in the release notarization workflow. Attackers with access to the… | ||
| CVE-2026-49134 | Hig | 0.39 | 7.1 | 0.00 | Jun 1, 2026 | CodexBar prior to 0.32.0 contains a privilege escalation vulnerability in the CLI installer that allows local attackers to execute arbitrary commands as root by exploiting a race condition in temporary file handling. The installer creates a temporary file with mktemp, writes a… | ||
| CVE-2024-45339 | Hig | 0.39 | 7.1 | 0.00 | Jan 28, 2025 | When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink… |
- risk 0.57cvss 9.8epss 0.05
The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks.
- risk 0.51cvss 7.8epss 0.03
Gitlab Community and Enterprise Editions version 10.3.3 is vulnerable to an Insecure Temporary File in the project import component resulting remote code execution.
- risk 0.49cvss 7.5epss 0.01
The Aranda File Server (AFS) component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and…
- risk 0.49cvss 7.5epss 0.00
A logging issue was addressed with improved data redaction. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, watchOS 26.3. A user may be able to view sensitive user information.
- risk 0.47cvss —epss 0.00
Insecure creation of temporary files allows local users on systems with non-default configurations to cause denial of service or set the encryption key for a filesystem
- risk 0.46cvss 7.0epss 0.00
A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session…
- risk 0.46cvss 7.1epss 0.03
In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles…
- risk 0.46cvss 7.0epss 0.00
A vulnerability was detected in Enter Software Iperius Backup up to 8.7.3. Affected is an unknown function of the file C:\ProgramData\IperiusBackup\Jobs\ of the component Backup Service. Performing a manipulation results in creation of temporary file with insecure permissions.…
- risk 0.46cvss —epss 0.00
An Insecure Temporary File vulnerability in openSUSE sdbootutil allows local users to pre-create a directory to achieve various effects like: * gain access to possible private information found in /var/lib/pcrlock.d * manipulate the data backed up in /tmp/pcrlock.d.bak,…
- risk 0.46cvss 7.0epss 0.00
In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade,…
- risk 0.44cvss 6.8epss 0.00
bash-git-prompt 2.6.1 through 2.7.1 insecurely uses the /tmp/git-index-private$$ file, which has a predictable name.
- risk 0.44cvss —epss 0.00
Products for macOS enables a user logged on to the system to perform a denial-of-service attack, which could be misused to disable the protection of the ESET security product and cause general system slow-down.
- risk 0.42cvss 6.5epss 0.03
The sync-exec module is used to simulate child_process.execSync in node versions <0.11.9. Sync-exec uses tmp directories as a buffer before returning values. Other users on the server have read access to the tmp directory, possibly allowing an attacker on the server to obtain…
- risk 0.42cvss 6.4epss 0.00
A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local…
- risk 0.40cvss 6.1epss 0.00
bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, there is an arbitrary file overwrite vulnerability via symlink attack on predictable temp files during archive update. This issue has been patched in…
- risk 0.40cvss 6.1epss 0.00
In Spring AI, having access to a shared environment can expose the ONNX model used by the application. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
- risk 0.40cvss 7.3epss 0.00
A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
- risk 0.39cvss 7.1epss 0.00
CodexBar prior to 0.32.0 contains an insecure temporary file handling vulnerability that allows local attackers to access sensitive credentials or tamper with build artifacts by exploiting predictable file paths in the release notarization workflow. Attackers with access to the…
- risk 0.39cvss 7.1epss 0.00
CodexBar prior to 0.32.0 contains a privilege escalation vulnerability in the CLI installer that allows local attackers to execute arbitrary commands as root by exploiting a race condition in temporary file handling. The installer creates a temporary file with mktemp, writes a…
- risk 0.39cvss 7.1epss 0.00
When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink…