67 vulnerabilities classified as CWE-377 (不安全的临时文件). AI Chinese analysis included.
CWE-377 represents a critical software weakness involving the creation and use of insecure temporary files, which exposes sensitive application and system data to potential compromise. This vulnerability is typically exploited by attackers who predict or guess the filename of a temporary file, allowing them to create a symbolic link or a malicious file with the same name before the legitimate application writes to it. This substitution enables the attacker to overwrite critical data, execute arbitrary code, or escalate privileges by tricking the application into interacting with the malicious file instead of the intended temporary storage. To mitigate this risk, developers must ensure that temporary files are created with strict access controls, such as using secure file creation flags that prevent race conditions. Additionally, employing unique, unpredictable filenames and storing temporary data in directories with restricted permissions significantly reduces the attack surface, ensuring that only the intended process can access the sensitive information.
if (tmpnam_r(filename)) { FILE* tmp = fopen(filename,"wb+"); while((recv(sock,recvbuf,DATA_SIZE, 0) > 0)&(amt!=0)) amt = fwrite(recvbuf,1,DATA_SIZE,tmp); } ...| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2016-9595 | katello-debug 安全漏洞 — katello-debug | 5.5 | - | 2018-07-27 |
| CVE-2017-16024 | sync-exec 安全漏洞 — sync-exec node module | 6.5 | - | 2018-06-04 |
| CVE-2018-3710 | GitLab Community Edition和Enterprise Edition project import组件安全漏洞 — GitLab Community and Enterprise Editions | 7.8 | - | 2018-03-21 |
| CVE-2018-1053 | PostgreSQL 安全漏洞 — postgresql | 7.8 | - | 2018-02-09 |
| CVE-2017-15111 | Red Hat keycloak-httpd-client-install 安全漏洞 — keycloak-httpd-client-install | 5.5 | - | 2018-01-20 |
| CVE-2017-7549 | Red Hat OpenStack Platform 后置链接漏洞 — instack-undercloud | 2.5 | - | 2017-09-21 |
| CVE-2017-7560 | rhnsd 安全漏洞 — rhnsd | 7.1 | - | 2017-09-13 |
Vulnerabilities classified as CWE-377 (不安全的临时文件) represent 67 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.