CVE-2023-0482

NameCVE-2023-0482
DescriptionIn RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1031728, 1031729

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
resteasy (PTS)jessie3.0.6-2vulnerable
sid3.6.2-2vulnerable
resteasy3.0 (PTS)buster3.0.26-1vulnerable
bullseye3.0.26-2vulnerable
sid, trixie, bookworm3.0.26-6vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
resteasysourcejessie(unfixed)end-of-life
resteasysource(unstable)(unfixed)1031728
resteasy3.0source(unstable)(unfixed)1031729

Notes

[bookworm] - resteasy3.0 <ignored> (Minor issue, no reverse deps in Bookworm)
[bullseye] - resteasy3.0 <no-dsa> (Minor issue)
[buster] - resteasy3.0 <no-dsa> (Minor issue)
https://github.com/resteasy/resteasy/pull/3409/
https://github.com/resteasy/resteasy/commit/3d8a551d80b98f185edaff6f895188ec8211366b
Search for package or bug name: Reporting problems