CVE-2023-0482 – org.jboss.resteasy:resteasy-multipart-provider

Package

Manager: maven
Name: org.jboss.resteasy:resteasy-multipart-provider
Vulnerable Version: >=6.0.0.beta1 <6.2.3.final || >=5.0.0.alpha1 <5.0.6.final || >=4.0.0.beta1 <4.7.8.final || >=0 <3.15.5.final

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00037 pctl0.09736

Details

Insecure Temporary File in RESTEasy ### Impact In RESTEasy the insecure `File.createTempFile()` is used in the `DataSourceProvider`, `FileProvider` and `Mime4JWorkaround` classes which creates temp files with insecure permissions that could be read by a local user. ### Patches Fixed in the following pull requests: * https://github.com/resteasy/resteasy/pull/3409 (7.0.0.Alpha1) * https://github.com/resteasy/resteasy/pull/3423 (6.2.3.Final) * https://github.com/resteasy/resteasy/pull/3412 (5.0.6.Final) * https://github.com/resteasy/resteasy/pull/3413 (4.7.8.Final) * https://github.com/resteasy/resteasy/pull/3410 (3.15.5.Final) ### Workarounds There is no workaround for this issue. ### References * https://nvd.nist.gov/vuln/detail/CVE-2023-0482 * https://bugzilla.redhat.com/show_bug.cgi?id=2166004 * https://github.com/advisories/GHSA-jrmh-v64j-mjm9

Metadata

Created: 2025-01-15T18:56:57Z
Modified: 2025-01-15T18:56:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-2c6g-pfx3-w7h8/GHSA-2c6g-pfx3-w7h8.json
CWE IDs: ["CWE-378"]
Alternative ID: GHSA-2c6g-pfx3-w7h8
Finding: F028
Auto approve: 1