CVE-2023-0482

Description

In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.

CVSS Metrics

• v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Trends

Current EPSS score: 0.05%• Percentile: 16%

Techniques & Countermeasures

• CWE-378•Creation of Temporary File With Insecure Permissions

  Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.

Affected Systems

• org.jboss.resteasy•resteasy-core

  ≥ 6.0.0.Beta1, < 6.2.3.Final | ≥ 5.0.0.Alpha1, < 5.0.6.Final | ≥ 4.0.0.Beta1, < 4.7.8.Final | < 3.15.5.Final

• org.jboss.resteasy•resteasy-multipart-provider

  ≥ 6.0.0.Beta1, < 6.2.3.Final | ≥ 5.0.0.Alpha1, < 5.0.6.Final | ≥ 4.0.0.Beta1, < 4.7.8.Final | < 3.15.5.Final

• netapp•active_iq_unified_manager

  na

• netapp•oncommand_workflow_automation

  na

• redhat•resteasy

  3.15.4 | 4.7.7 | 5.0.5 | 6.2.2

References (16)

• https://github.com/resteasy/resteasy/pull/3409/commits/807d7456f2137cde8ef7c316707211bf4e542d56
• https://security.netapp.com/advisory/ntap-20230427-0001/
• https://github.com/resteasy/resteasy/security/advisories/GHSA-2c6g-pfx3-w7h8
• https://nvd.nist.gov/vuln/detail/CVE-2023-0482
• https://github.com/resteasy/resteasy/pull/3409
• https://github.com/resteasy/resteasy/pull/3410
• https://github.com/resteasy/resteasy/pull/3412
• https://github.com/resteasy/resteasy/pull/3413
• https://github.com/resteasy/resteasy/pull/3423
• https://bugzilla.redhat.com/show_bug.cgi?id=2166004
• https://github.com/orgs/resteasy/discussions/3415
• https://github.com/orgs/resteasy/discussions/3504
• https://github.com/orgs/resteasy/discussions/3506
• https://github.com/resteasy/resteasy
• https://issues.redhat.com/browse/RESTEASY-3286
• https://security.netapp.com/advisory/ntap-20230427-0001