CVE-2023-43123: Apache Storm Local Information Disclosure Vulnerability in Storm-core on Unix-Like systems due temporary files
(updated )
On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems.
The method File.createTempFile on unix-like systems creates a file with predefined name (so easily identifiable) and by default will create this file with the permissions -rw-r–r–. Thus, if sensitive information is written to this file, other local users can read this information.
File.createTempFile(String, String) will create a temporary file in the system temporary directory if the ‘java.io.tmpdir’ system property is not explicitly set.
References
- github.com/advisories/GHSA-85p4-q357-72h9
- github.com/apache/storm
- github.com/apache/storm/commit/b778125a17ce7497d80aea1e339f3a282aeeb65a
- github.com/apache/storm/pull/3582
- issues.apache.org/jira/browse/STORM-3123
- lists.apache.org/thread/88oc1vqfjtr29cz5xts0v2wm5pmhbm0l
- nvd.nist.gov/vuln/detail/CVE-2023-43123
- www.openwall.com/lists/oss-security/2023/11/23/1
Detect and mitigate CVE-2023-43123 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →