Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2023-43123
Modified
More InfoOfficial Page
Source-security@apache.org
View Known Exploited Vulnerability (KEV) details
Published At-23 Nov, 2023 | 10:15
Updated At-13 Feb, 2025 | 17:17

On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method File.createTempFile on unix-like systems creates a file with predefined name (so easily identifiable) and by default will create this file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other local users can read this information. File.createTempFile(String, String) will create a temporary file in the system temporary directory if the 'java.io.tmpdir' system property is not explicitly set. This affects the class  https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/utils/TopologySpoutLag.java#L99  and was introduced by  https://issues.apache.org/jira/browse/STORM-3123 In practice, this has a very limited impact as this class is used only if ui.disable.spout.lag.monitoring is set to false, but its value is true by default. Moreover, the temporary file gets deleted soon after its creation. The solution is to use  Files.createTempFile https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/nio/file/Files.html#createTempFile(java.lang.String,java.lang.String,java.nio.file.attribute.FileAttribute...)  instead. We recommend that all users upgrade to the latest version of Apache Storm.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CPE Matches
The Apache Software Foundation
apache
>>storm>>Versions from 2.0.0(inclusive) to 2.6.0(exclusive)
cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-200Secondarysecurity@apache.org
NVD-CWE-OtherPrimarynvd@nist.gov
CWE ID: CWE-200
Type: Secondary
Source: security@apache.org
CWE ID: NVD-CWE-Other
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://www.openwall.com/lists/oss-security/2023/11/23/1security@apache.org
Mailing List
Third Party Advisory
https://lists.apache.org/thread/88oc1vqfjtr29cz5xts0v2wm5pmhbm0lsecurity@apache.org
Mailing List
Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/11/23/1af854a3a-2127-422b-91ae-364da2661108
Mailing List
Third Party Advisory
https://lists.apache.org/thread/88oc1vqfjtr29cz5xts0v2wm5pmhbm0laf854a3a-2127-422b-91ae-364da2661108
Mailing List
Vendor Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2023/11/23/1
Source: security@apache.org
Resource:
Mailing List
Third Party Advisory
Hyperlink: https://lists.apache.org/thread/88oc1vqfjtr29cz5xts0v2wm5pmhbm0l
Source: security@apache.org
Resource:
Mailing List
Vendor Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2023/11/23/1
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Mailing List
Third Party Advisory
Hyperlink: https://lists.apache.org/thread/88oc1vqfjtr29cz5xts0v2wm5pmhbm0l
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Mailing List
Vendor Advisory
Change History
0Changes found
Details not found