CVE-2023-0481: RestEasy Reactive implementation of Quarkus allows Creation of Temporary File With Insecure Permissions

February 24, 2023

In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.

References

github.com/advisories/GHSA-j75r-vf64-6rrh
github.com/quarkusio/quarkus/commit/95d5904f7cf18c8165b97d8ca03b203d7f69c17e
github.com/quarkusio/quarkus/pull/30694
nvd.nist.gov/vuln/detail/CVE-2023-0481

Code Behaviors & Features

Detect and mitigate CVE-2023-0481 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →