CVE-2023-0481

2023-02-2418:15:14

CWE-378

CWE-668

[email protected]

web.nvd.nist.gov

nvd

cve-2023-0481

resteasy

quarkus

file.createtempfile()

filebodyhandler

security vulnerability

local user

insecure permissions

3.3 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

3.7 Low

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.

Affected configurations

Vulners

NVD

Node

redhatbuild_of_quarkusRange≤2.16.1

VendorProductVersionCPE
redhatbuild_of_quarkus*cpe:2.3:a:redhat:build_of_quarkus:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	build_of_quarkus	*	cpe:2.3:a:redhat:build_of_quarkus::::::::

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "Quarkus",
    "versions": [
      {
        "version": "Fixed in 2.16.1",
        "status": "affected"
      }
    ]
  }
]