Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-377 (不安全的临时文件) — Vulnerability Class 67

67 vulnerabilities classified as CWE-377 (不安全的临时文件). AI Chinese analysis included.

CWE-377 represents a critical software weakness involving the creation and use of insecure temporary files, which exposes sensitive application and system data to potential compromise. This vulnerability is typically exploited by attackers who predict or guess the filename of a temporary file, allowing them to create a symbolic link or a malicious file with the same name before the legitimate application writes to it. This substitution enables the attacker to overwrite critical data, execute arbitrary code, or escalate privileges by tricking the application into interacting with the malicious file instead of the intended temporary storage. To mitigate this risk, developers must ensure that temporary files are created with strict access controls, such as using secure file creation flags that prevent race conditions. Additionally, employing unique, unpredictable filenames and storing temporary data in directories with restricted permissions significantly reduces the attack surface, ensuring that only the intended process can access the sensitive information.

MITRE CWE Description
Creating and using insecure temporary files can leave application and system data vulnerable to attack.
Common Consequences (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories
Examples (1)
The following code uses a temporary file for storing intermediate data gathered from the network before it is processed.
if (tmpnam_r(filename)) { FILE* tmp = fopen(filename,"wb+"); while((recv(sock,recvbuf,DATA_SIZE, 0) > 0)&(amt!=0)) amt = fwrite(recvbuf,1,DATA_SIZE,tmp); } ...
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2022-21809 InHand Networks InRouter302 代码问题漏洞 — InRouter302 8.8 -2022-05-12
CVE-2021-22572 Data-transfer-project information disclosure via tmp directory — Data-Transfer-Project 5.5 Medium2022-03-29
CVE-2022-0315 Insecure Temporary File in horovod/horovod — horovod/horovod 8.1 -2022-03-24
CVE-2022-21945 cscreen: usage of fixed path /tmp/cscreen.debug — Factory 5.1 Medium2022-03-16
CVE-2021-46705 grub2-once uses fixed file name in /var/tmp — SUSE Linux Enterprise Server 15 SP4 5.1 Medium2022-03-16
CVE-2022-0736 Insecure Temporary File in mlflow/mlflow — mlflow/mlflow 7.1 -2022-02-23
CVE-2011-4119 Caml-light 安全漏洞 — caml-light 9.8 -2021-10-26
CVE-2012-2666 Google Golang 安全漏洞 — go/golang 9.8 -2021-07-09
CVE-2018-16494 Versa servers 授权问题漏洞 — Versa VOS 8.8 -2021-05-26
CVE-2021-20202 keycloak 安全漏洞 — keycloak 7.1 -2021-05-12
CVE-2021-25316 Local DoS of VM live migration due to use of static tmp files in detach_disks.sh in s390-tools — SUSE Linux Enterprise Server 12-SP5 3.3 Low2021-04-14
CVE-2021-29429 Information disclosure through temporary directory permissions — gradle 4.0 Medium2021-04-12
CVE-2020-35451 Oozie local privilege escalation — Apache Oozie 4.7 -2021-03-09
CVE-2020-8032 Local privilege escalation to root due to insecure tmp file usage — Factory 6.7 Medium2021-02-25
CVE-2020-8027 openldap uses fixed paths in /tmp — SUSE Linux Enterprise Server 15-LTSS 7.3 High2021-02-11
CVE-2020-8030 skuba: Insecure /tmp usage when joining node to cluster — SUSE CaaS Platform 4.5 3.6 Low2021-02-11
CVE-2020-10744 Red Hat Ansible 竞争条件问题漏洞 — ansible 5.0 Medium2020-05-15
CVE-2020-2016 PAN-OS: Temporary file race condition vulnerability in PAN-OS leads to local privilege escalation — PAN-OS 7.0 High2020-05-13
CVE-2020-1994 PAN-OS: Predictable temporary file vulnerability — PAN-OS 4.1 Medium2020-05-13
CVE-2020-1991 Traps: Insecure temporary file vulnerability may allow privilege escalation on Windows — Traps 7.8 High2020-04-08
CVE-2020-1740 Ansible 信息泄露漏洞 — ansible 3.9 Low2020-03-16
CVE-2020-1981 PAN-OS: Predictable temporary filename vulnerability allows local privilege escalation — PAN-OS 7.0 High2020-03-11
CVE-2020-1733 Ansible 安全漏洞 — Ansible 5.0 Medium2020-03-11
CVE-2018-17955 Static tempfile name allows overwriting of arbitrary files — yast2-multipath 5.5 -2019-03-15
CVE-2018-19637 Static temporary filename allows overwriting of files — supportutils 5.5 -2019-03-05
CVE-2018-19640 Code execution if run with command line switch -v — supportutils 5.5 -2019-03-05
CVE-2018-19638 User can overwrite arbitrary log files in support tar — supportutils 5.5 -2019-03-05
CVE-2018-6706 McAfee Agent (MA) non-Windows versions incorrect use of temporary file vulnerability — McAfee Agent (MA) for Linux 6.2 -2018-12-12
CVE-2018-6704 McAfee Agent for Linux Privilege Escalation vulnerability — McAfee Agent (MA) for Linux 7.8 -2018-12-12
CVE-2018-6705 McAfee Agent (MA) for Linux Privilege Escalation vulnerability — McAfee Agent (MA) for Linux 7.8 -2018-12-12

Vulnerabilities classified as CWE-377 (不安全的临时文件) represent 67 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.