VYPR

CWE-377

Insecure Temporary File

ClassIncomplete

Description

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-149 · CAPEC-155

CVEs mapped to this weakness (63)

page 3 of 4
  • CVE-2022-27772Mar 30, 2022
    risk 0.00cvss epss 0.01

    spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products…

  • CVE-2022-27815Mar 29, 2022
    risk 0.00cvss epss 0.01

    SWHKD 1.1.5 unsafely uses the /tmp/swhkd.pid pathname. There can be an information leak or denial of service.

  • CVE-2022-0315Mar 24, 2022
    risk 0.00cvss epss 0.01

    Insecure Temporary File in GitHub repository horovod/horovod prior to 0.24.0.

  • CVE-2022-0736Feb 23, 2022
    risk 0.00cvss epss 0.02

    Insecure Temporary File in GitHub repository mlflow/mlflow prior to 1.23.1.

  • CVE-2021-20202May 12, 2021
    risk 0.00cvss epss 0.00

    A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this…

  • CVE-2021-21430May 10, 2021
    risk 0.00cvss epss 0.00

    OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Using `File.createTempFile` in JDK will result in creating and using insecure temporary files that can leave…

  • CVE-2021-21428May 10, 2021
    risk 0.00cvss epss 0.00

    Openapi generator is a java tool which allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. openapi-generator-online creates insecure temporary folders with File.createTempFile during the…

  • CVE-2021-21429Apr 27, 2021
    risk 0.00cvss epss 0.00

    OpenAPI Generator allows generation of API client libraries, server stubs, documentation and configuration automatically given an OpenAPI Spec. Using `File.createTempFile` in JDK will result in creating and using insecure temporary files that can leave application and system…

  • CVE-2021-28099Mar 23, 2021
    risk 0.00cvss epss 0.00

    In Netflix OSS Hollow, since the Files.exists(parent) is run before creating the directories, an attacker can pre-create these directories with wide permissions. Additionally, since an insecure source of randomness is used, the file names to be created can be deterministically…

  • CVE-2021-28100Mar 23, 2021
    risk 0.00cvss epss 0.00

    Priam uses File.createTempFile, which gives the permissions on that file -rw-r--r--. An attacker with read access to the local filesystem can read anything written there by the Priam process.

  • CVE-2021-23331Feb 3, 2021
    risk 0.00cvss epss 0.00

    This affects all versions of package com.squareup:connect. The method prepareDownloadFilecreates creates a temporary file with the permissions bits of -rw-r--r-- on unix-like systems. On unix-like systems, the system temporary directory is shared between users. As such, the…

  • CVE-2020-10744May 15, 2020
    risk 0.00cvss epss 0.00

    An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine…

  • CVE-2020-10685May 11, 2020
    risk 0.00cvss epss 0.00

    A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as…

  • CVE-2020-1740Mar 16, 2020
    risk 0.00cvss epss 0.00

    A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file…

  • CVE-2020-1733Mar 11, 2020
    risk 0.00cvss epss 0.00

    A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is…

  • CVE-2012-2945Oct 28, 2019
    risk 0.00cvss epss 0.03

    Hadoop 1.0.3 contains a symlink vulnerability.

  • CVE-2014-0177May 27, 2014
    risk 0.00cvss epss 0.00

    The am function in lib/hub/commands.rb in hub before 1.12.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary patch file.

  • CVE-2014-0012May 19, 2014
    risk 0.00cvss epss 0.00

    FileSystemBytecodeCache in Jinja2 2.7.2 does not properly create temporary directories, which allows local users to gain privileges by pre-creating a temporary directory with a user's uid. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1402.

  • CVE-2014-1604Jan 28, 2014
    risk 0.00cvss epss 0.00

    The parser cache functionality in parsergenerator.py in RPLY (aka python-rply) before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-*.json file with a predictable name.

  • CVE-2013-2119Jan 3, 2014
    risk 0.00cvss epss 0.00

    Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the…