Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix temporary directory hijacking or temporary directory information disclosure #1621

Merged
merged 3 commits into from
Sep 23, 2022
Merged

Fix temporary directory hijacking or temporary directory information disclosure #1621

merged 3 commits into from
Sep 23, 2022

Conversation

lbergelson
Copy link
Member

And updated version of #1617 which fixes and also deprecates the method in question.

lbergelson and others added 3 commits September 23, 2022 15:37
@lbergelson
disable codecov until we can fix the uploader
caf040f
@JLLeitschuh @TeamModerne @lbergelson
vuln-fix: Temporary Directory Hijacking or Information Disclosure
db260b0 
This fixes either Temporary Directory Hijacking, or Temporary Directory Local Information Disclosure.

Weakness: CWE-379: Creation of Temporary File in Directory with Insecure Permissions
Severity: High
CVSSS: 7.3
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.UseFilesCreateTempDirectory)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: JLLeitschuh/security-research#10

Co-authored-by: Moderne <team@moderne.io>
@lbergelson
deprecating the old method and adding comments
b796707
@lbergelson lbergelson force-pushed the fix/JLL/temporary_directory_hijacking_or_temporary_directory_information_disclosure branch from 40240b2 to b796707 Compare September 23, 2022 19:39
@lbergelson lbergelson merged commit 4a4024a into master Sep 23, 2022
@lbergelson lbergelson deleted the fix/JLL/temporary_directory_hijacking_or_temporary_directory_information_disclosure branch September 23, 2022 20:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lbergelson @JLLeitschuh