Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix temporary directory hijacking or temporary directory information disclosure #1829

Merged
merged 2 commits into from
Sep 20, 2022
Merged

Fix temporary directory hijacking or temporary directory information disclosure #1829

merged 2 commits into from
Sep 20, 2022

Conversation

lbergelson
Copy link
Member

This is a re-upload of #1821 with a fixup since I don't have permissions to write to the remote branch.

@JLLeitschuh @TeamModerne @lbergelson
vuln-fix: Temporary Directory Hijacking or Information Disclosure
aaa0366 
This fixes either Temporary Directory Hijacking, or Temporary Directory Local Information Disclosure.

Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions
Severity: High
CVSSS: 7.3
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: JLLeitschuh/security-research#10


Co-authored-by: Moderne <team@moderne.io>
@lbergelson
Copy link
Member Author

@droazen

@lbergelson lbergelson force-pushed the fix/JLL/temporary_directory_hijacking_or_temporary_directory_information_disclosure branch from c345909 to 0197596 Compare September 20, 2022 17:44
droazen
droazen approved these changes Sep 20, 2022
View reviewed changes
Copy link
Contributor

@droazen droazen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@lbergelson lbergelson merged commit 5db8017 into master Sep 20, 2022
@lbergelson lbergelson deleted the fix/JLL/temporary_directory_hijacking_or_temporary_directory_information_disclosure branch September 20, 2022 19:16
@lbergelson lbergelson mentioned this pull request Sep 20, 2022
Closed
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@droazen droazen droazen approved these changes

Assignees

@lbergelson lbergelson

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lbergelson @droazen @JLLeitschuh