CVE-2021-22572

MEDIUM Year: 2021
CVSS v3 Score
5.5
Medium
CVSS v2 Score
2.1
Low
Weakness Type
CWE-377
View all →

Vulnerability Description

On unix-like systems, the system temporary directory is shared between all users on that system. The root cause is File.createTempFile creates files in the the system temporary directory with world readable permissions. Any sensitive information written to theses files is visible to all other local users on unix-like systems. We recommend upgrading past commit https://github.com/google/data-transfer-project/pull/969

Related Vulnerabilities

CVE-2016-9595

MEDIUM
CVSS:5.5(Medium)

A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them ...

CWE-3772016

CVE-2017-15111

MEDIUM
CVSS:5.5(Medium)

keycloak-httpd-client-install versions before 0.8 insecurely creates temporary file allowing local attackers to overwrite other files via symbolic link.

CWE-3772017

CVE-2017-7560

MEDIUM
CVSS:5.5(Medium)

It was found that rhnsd PID files are created as world-writable that allows local attackers to fill the disks or to kill selected processes.

CWE-3772017

CVE-2018-17955

MEDIUM
CVSS:5.5(Medium)

In yast2-multipath before version 4.1.1 a static temporary filename allows local attackers to overwrite files on systems without symlink protection

CWE-3772018

CVE-2018-19637

MEDIUM
CVSS:5.5(Medium)

Supportutils, before version 3.1-5.7.1, wrote data to static file /tmp/supp_log, allowing local attackers to overwrite files on systems without symlink protection

CWE-3772018

CVE-2018-19640

MEDIUM
CVSS:5.5(Medium)

If the attacker manages to create files in the directory used to collect log files in supportutils before version 3.1-5.7.1 (e.g. with CVE-2018-19638) he can kill arbitrary processes on the local mach...

CWE-3772018