CVE-2023-0481: Exposure of Resource to Wrong Sphere

February 24, 2023 (updated November 16, 2023)

In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.

References

github.com/advisories/GHSA-j75r-vf64-6rrh
github.com/quarkusio/quarkus/commit/95d5904f7cf18c8165b97d8ca03b203d7f69c17e
github.com/quarkusio/quarkus/pull/30694
nvd.nist.gov/vuln/detail/CVE-2023-0481

Detect and mitigate CVE-2023-0481 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →