CWE-379
Creation of Temporary File in Directory with Insecure Permissions
Bas
Incomplete
2006-07-19
00h00 +00:00
00h00 +00:00
2023-10-26
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Creation of Temporary File in Directory with Insecure Permissions
The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
Description du CWE
On some operating systems, the fact that the temporary file exists may be apparent to any user with sufficient privileges to access that directory. Since the file is visible, the application that is using the temporary file could be known. If one has access to list the processes on the system, the attacker has gained information about what the user is doing at that time. By correlating this with the applications the user is running, an attacker could potentially discover what a user's actions are. From this, higher levels of security could be breached.
Informations générales
Modes d'introduction
ImplementationPlateformes applicables
Langue
Class: Not Language-Specific (Undetermined)Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Confidentiality | Read Application Data Note: Since the file is visible and the application which is using the temp file could be known, the attacker has gained information about what the user is doing at that time. |
Exemples observés
| Références | Description |
|---|---|
CVE-2022-27818 | A hotkey daemon written in Rust creates a domain socket file underneath /tmp, which is accessible by any user. |
CVE-2021-21290 | A Java-based application for a rapid-development framework uses File.createTempFile() to create a random temporary file with insecure default permissions. |
Mesures d’atténuation potentielles
Phases : RequirementsMany contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible.
Phases : Implementation
Try to store sensitive tempfiles in a directory which is not world readable -- i.e., per-user directories.
Phases : Implementation
Avoid using vulnerable temp file functions.
Méthodes de détection
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Efficacité : High
Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Références
REF-18
The CLASP Application Security ProcessSecure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf
REF-62
The Art of Software Security AssessmentMark Dowd, John McDonald, Justin Schuh.
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| CLASP | Draft 3 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Description, Name | |
| CWE Content Team | MITRE | updated Description, Other_Notes, Potential_Mitigations | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Demonstrative_Examples, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Type | |
| CWE Content Team | MITRE | updated Name, References, Relationships, Type | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated Detection_Factors, Relationships, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Observed_Examples |
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.