CVE-2023-0481

In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.

CVSS v3 3.3 LOW

3.3^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/quarkusio/quarkus/pull/30694	Patch Vendor Advisory
https://github.com/quarkusio/quarkus/pull/30694	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:37

Type	Values Removed	Values Added
Summary		(es) En la implementación RestEasy Reactive de Quarkus, el inseguro File.createTempFile() se usa en la clase FileBodyHandler que crea archivos temporales con permisos inseguros que un usuario local podría leer.
References	~~() https://github.com/quarkusio/quarkus/pull/30694 - Patch, Vendor Advisory~~	() https://github.com/quarkusio/quarkus/pull/30694 - Patch, Vendor Advisory

07 Mar 2023, 01:44

Type	Values Removed	Values Added
CWE		CWE-668
References	~~(MISC) https://github.com/quarkusio/quarkus/pull/30694 -~~	(MISC) https://github.com/quarkusio/quarkus/pull/30694 - Patch, Vendor Advisory
CPE		cpe:2.3:a:quarkus:quarkus::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 3.3

24 Feb 2023, 18:48

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-02-24 18:15

Updated : 2025-03-12 16:15

NVD link : CVE-2023-0481

Mitre link : CVE-2023-0481

CVE.ORG link : CVE-2023-0481

JSON object : View

Products Affected

quarkus

quarkus

CWE

CWE-378

Creation of Temporary File With Insecure Permissions

CWE-668

Exposure of Resource to Wrong Sphere

{"id": "CVE-2023-0481", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2023-02-24T18:15:14.140", "references": [{"url": "https://github.com/quarkusio/quarkus/pull/30694", "tags": ["Patch", "Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/quarkusio/quarkus/pull/30694", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-378"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-668"}]}], "descriptions": [{"lang": "en", "value": "In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user."}, {"lang": "es", "value": "En la implementaci\u00f3n RestEasy Reactive de Quarkus, el inseguro File.createTempFile() se usa en la clase FileBodyHandler que crea archivos temporales con permisos inseguros que un usuario local podr\u00eda leer."}], "lastModified": "2025-03-12T16:15:18.873", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5FDFC706-B7B5-458B-833E-195D65F2E8EC", "versionEndExcluding": "2.16.1"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}