{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-0482", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-02T05:10:56.348Z", "dateReserved": "2023-01-24T00:00:00", "datePublished": "2023-02-17T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-04-27T00:00:00"}, "descriptions": [{"lang": "en", "value": "In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user."}], "affected": [{"vendor": "n/a", "product": "RESTEasy", "versions": [{"version": "Fixed in RESTEasy 4.7.8.Final", "status": "affected"}]}], "references": [{"url": "https://github.com/resteasy/resteasy/pull/3409/commits/807d7456f2137cde8ef7c316707211bf4e542d56"}, {"url": "https://security.netapp.com/advisory/ntap-20230427-0001/"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-378", "cweId": "CWE-378"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:10:56.348Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/resteasy/resteasy/pull/3409/commits/807d7456f2137cde8ef7c316707211bf4e542d56", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230427-0001/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:resteasy:3.15.4:*:*:*:*:*:*:*", "matchCriteriaId": "7EC7F357-F788-45EA-9EC8-1827E0C3C3F3", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:resteasy:4.7.7:*:*:*:*:*:*:*", "matchCriteriaId": "A1127722-44D1-4E06-BDD8-979BFD6E3301", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:resteasy:5.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "0E3A6FBC-A883-42F6-84D3-FCBC7A5DC5B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:resteasy:6.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "E7E6BA5D-DE79-45FE-B033-7E9CB458CE3C", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:*", "matchCriteriaId": "E8F29E19-3A64-4426-A2AA-F169440267CC", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user."}], "id": "CVE-2023-0482", "lastModified": "2025-02-10T13:12:32.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-17T22:15:11.957", "references": [{"source": "secalert@redhat.com", "tags": ["Patch"], "url": "https://github.com/resteasy/resteasy/pull/3409/commits/807d7456f2137cde8ef7c316707211bf4e542d56"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230427-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/resteasy/resteasy/pull/3409/commits/807d7456f2137cde8ef7c316707211bf4e542d56"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230427-0001/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-378"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:3185", "cpe": "cpe:/a:redhat:amq_broker:7", "package": "RESTEasy", "product_name": "AMQ Broker 7.10.3", "release_date": "2023-05-17T00:00:00Z"}, {"advisory": "RHSA-2023:1516", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "RESTEasy", "product_name": "EAP 7.4.10 release", "release_date": "2023-03-29T00:00:00Z"}, {"advisory": "RHSA-2023:6305", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.1::el8", "package": "mta/mta-hub-rhel8:6.1.4-2", "product_name": "MTA-6.1-RHEL-8", "release_date": "2023-11-06T00:00:00Z"}, {"advisory": "RHSA-2023:6305", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.1::el8", "package": "mta/mta-operator-bundle:6.1.4-3", "product_name": "MTA-6.1-RHEL-8", "release_date": "2023-11-06T00:00:00Z"}, {"advisory": "RHSA-2023:6305", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.1::el8", "package": "mta/mta-pathfinder-rhel8:6.1.4-1", "product_name": "MTA-6.1-RHEL-8", "release_date": "2023-11-06T00:00:00Z"}, {"advisory": "RHSA-2023:6305", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.1::el8", "package": "mta/mta-rhel8-operator:6.1.4-3", "product_name": "MTA-6.1-RHEL-8", "release_date": "2023-11-06T00:00:00Z"}, {"advisory": "RHSA-2023:6305", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.1::el8", "package": "mta/mta-ui-rhel8:6.1.4-2", "product_name": "MTA-6.1-RHEL-8", "release_date": "2023-11-06T00:00:00Z"}, {"advisory": "RHSA-2023:6305", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.1::el8", "package": "mta/mta-windup-addon-rhel8:6.1.4-2", "product_name": "MTA-6.1-RHEL-8", "release_date": "2023-11-06T00:00:00Z"}, {"advisory": "RHSA-2023:5165", "cpe": "cpe:/a:redhat:amq_streams:2", "product_name": "Red Hat AMQ Streams 2.5.0", "release_date": "2023-09-14T00:00:00Z"}, {"advisory": "RHSA-2023:1513", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-resteasy-0:3.15.5-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2023-03-29T00:00:00Z"}, {"advisory": "RHSA-2023:1514", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-resteasy-0:3.15.5-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2023-03-29T00:00:00Z"}, {"advisory": "RHSA-2023:1512", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-resteasy-0:3.15.5-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2023-03-29T00:00:00Z"}, {"advisory": "RHSA-2023:2713", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6.3", "package": "RESTEasy", "product_name": "Red Hat Single Sign-On 7", "release_date": "2023-05-10T00:00:00Z"}, {"advisory": "RHSA-2023:2705", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package": "rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el7sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date": "2023-05-10T00:00:00Z"}, {"advisory": "RHSA-2023:2706", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package": "rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el8sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date": "2023-05-10T00:00:00Z"}, {"advisory": "RHSA-2023:2707", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package": "rh-sso7-keycloak-0:18.0.7-1.redhat_00001.1.el9sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date": "2023-05-10T00:00:00Z"}, {"advisory": "RHSA-2023:2710", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rh-sso-7/sso76-openshift-rhel8:7.6-22", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2023-05-10T00:00:00Z"}, {"advisory": "RHSA-2023:4983", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package": "RESTEasy", "product_name": "RHPAM 7.13.4 async", "release_date": "2023-09-05T00:00:00Z"}, {"advisory": "RHSA-2024:1353", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package": "RESTEasy", "product_name": "RHPAM 7.13.5 async", "release_date": "2024-03-18T00:00:00Z"}], "bugzilla": {"description": "RESTEasy: creation of insecure temp files", "id": "2166004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166004"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-378", "details": ["In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user."], "name": "CVE-2023-0482", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Fix deferred", "package_name": "RESTEasy", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1", "fix_state": "Affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Migration Toolkit for Runtimes"}, {"cpe": "cpe:/a:redhat:amq_online:1", "fix_state": "Fix deferred", "package_name": "RESTEasy", "product_name": "Red Hat A-MQ Online"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "RESTEasy", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Not affected", "package_name": "org.jboss.resteasy/resteasy-core", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "RESTEasy", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "resteasy", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "RESTEasy", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "RESTEasy", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "RESTEasy", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "RESTEasy", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "RESTEasy", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "RESTEasy", "product_name": "Red Hat support for Spring Boot"}], "public_date": "2023-01-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-0482\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-0482"], "threat_severity": "Low", "upstream_fix": "RESTEasy 4.7.8.Final"}