Fluid Attacks Database

Description

Insecure Temporary File in RESTEasy

Impact

In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.

Patches

Fixed in the following pull requests:

https://github.com/resteasy/resteasy/pull/3409 (7.0.0.Alpha1)

https://github.com/resteasy/resteasy/pull/3423 (6.2.3.Final)

https://github.com/resteasy/resteasy/pull/3412 (5.0.6.Final)

https://github.com/resteasy/resteasy/pull/3413 (4.7.8.Final)

https://github.com/resteasy/resteasy/pull/3410 (3.15.5.Final)

Workarounds

There is no workaround for this issue.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-0482

https://bugzilla.redhat.com/show_bug.cgi?id=2166004

https://github.com/advisories/GHSA-jrmh-v64j-mjm9

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jboss.resteasy:resteasy-multipart-provider	>=6.0.0.beta1 <6.2.3.final \|\| >=5.0.0.alpha1 <5.0.6.final \|\| >=4.0.0.beta1 <4.7.8.final \|\| >=0 <3.15.5.final	6.2.3.final, 5.0.6.final, 4.7.8.final, 3.15.5.final
maven	org.jboss.resteasy:resteasy-core	>=6.0.0.beta1 <6.2.3.final \|\| >=5.0.0.alpha1 <5.0.6.final \|\| >=4.0.0.beta1 <4.7.8.final \|\| >=0 <3.15.5.final	6.2.3.final, 5.0.6.final, 4.7.8.final, 3.15.5.final
maven	org.jboss.resteasy:resteasy-undertow	>=0 <=6.2.2.final	-
debian 11	resteasy3.0	=3.0.26-2 \|\| =3.0.26-3 \|\| =3.0.26-4 \|\| =3.0.26-5 \|\| =3.0.26-6	-
debian 12	resteasy3.0	=3.0.26-6	-
debian 13	resteasy3.0	=3.0.26-6	-
debian 14	resteasy3.0	=3.0.26-6	-
rpm rhel8	resteasy	-	-
rpm rhel9	resteasy	-	-

Aliases

1. CVE-2023-04822. NVD-2023-04823. OSV-2023-04824. OSV-DEBIAN-2023-04825. GHSA-2c6g-pfx3-w7h86. GHSA-jrmh-v64j-mjm97. GCVE-2023-04828. SECURITY-TRACKER-CVE-2023-0482

References