CWE-378 创建拥有不安全权限的临时文件类漏洞列表 34

CWE-378 创建拥有不安全权限的临时文件类弱点 34 条 CVE 漏洞汇总，含 AI 中文分析。

CWE-378属于临时文件权限配置不当漏洞。当应用程序创建临时文件时若未设置严格权限，攻击者可利用此缺陷通过符号链接攻击或竞态条件，读取敏感数据或篡改文件内容以执行恶意代码。开发者应避免使用默认权限，需显式指定仅所有者可读写，并采用原子性操作确保文件创建与权限设置的同步，从而防止未授权访问。

MITRE CWE 官方描述

CWE：CWE-378 以不安全权限创建临时文件英文：在不采取适当措施或控制的情况下打开临时文件，可能导致该文件、其内容以及受其影响的任何函数易受攻击。

常见影响 (3)

ConfidentialityRead Application Data

If the temporary file can be read by the attacker, sensitive information may be in that file which could be revealed.

Authorization, OtherOther

If that file can be written to by the attacker, the file might be moved into a place to which the attacker does not have access. This will allow the attacker to gain selective resource access-control privileges.

Integrity, OtherOther

Depending on the data stored in the temporary file, there is the potential for an attacker to gain an additional input vector which is trusted as non-malicious. It may be possible to make arbitrary changes to data structures, user information, or even process ownership.

缓解措施 (3)

RequirementsMany contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible.

ImplementationEnsure that you use proper file permissions. This can be achieved by using a safe temp file function. Temporary files should be writable and readable only by the process that owns the file.

ImplementationRandomize temporary file names. This can also be achieved by using a safe temp-file function. This will ensure that temporary files will not be created in predictable places.

代码示例 (1)

In the following code examples a temporary file is created and written to. After using the temporary file, the file is closed and deleted from the file system.

FILE *stream; if( (stream = tmpfile()) == NULL ) { perror("Could not open new temporary file\n"); return (-1); } // write data to tmp file ... // remove tmp file rmtmp();

Bad · C

try { File temp = File.createTempFile("pattern", ".suffix"); temp.deleteOnExit(); BufferedWriter out = new BufferedWriter(new FileWriter(temp)); out.write("aString"); out.close(); } catch (IOException e) { }

Bad · Java

CVE ID	标题	CVSS	风险等级	Published
CVE-2026-33572	OpenClaw 安全漏洞 — OpenClaw	8.4	High	2026-03-29
CVE-2026-4822	Iperius Backup 安全漏洞 — Iperius Backup	7.0	High	2026-03-25
CVE-2025-46685	Dell SupportAssist OS Recovery 安全漏洞 — SupportAssist OS Recovery	7.5	High	2026-01-13
CVE-2025-46684	Dell SupportAssist OS Recovery 安全漏洞 — SupportAssist OS Recovery,	6.6	Medium	2026-01-13
CVE-2025-34352	JumpCloud Remote Assist 安全漏洞 — Remote Assist	7.8^AI	High^AI	2025-12-02
CVE-2025-7647	LlamaIndex 安全漏洞 — run-llama/llama_index	8.8	-	2025-09-27
CVE-2025-4953	Podman 安全漏洞	7.4	High	2025-09-16
CVE-2025-9474	Mihomo Party 安全漏洞 — Party	4.5	Medium	2025-08-26
CVE-2025-38747	Dell SupportAssist OS Recovery 安全漏洞 — SupportAssist OS Recovery	7.8	High	2025-08-06
CVE-2025-32438	Nixpkgs 安全漏洞 — nixpkgs	8.8	High	2025-04-15
CVE-2025-27148	Gradle 安全漏洞 — gradle	8.8	High	2025-02-25
CVE-2024-52543	Dell NativeEdge 安全漏洞 — NativeEdge	6.5	Medium	2024-12-25
CVE-2024-47884	foxmarks 安全漏洞 — foxmarks	5.0^AI	Medium^AI	2024-10-11
CVE-2024-23454	Apache Hadoop 安全漏洞 — Apache Hadoop	5.5^AI	Medium^AI	2024-09-25
CVE-2024-7358	Point B Getscreen 安全漏洞 — Getscreen Agent	7.8	High	2024-08-01
CVE-2024-39872	Siemens SINEMA Remote Connect Server 安全漏洞 — SINEMA Remote Connect Server	9.6	Critical	2024-07-09
CVE-2023-28600	Zoom Client 安全漏洞 — Zoom for macOS Client	5.2	Medium	2023-06-13
CVE-2023-27408	Siemens SCALANCE 安全漏洞 — SCALANCE LPE9403	3.3	Low	2023-05-09
CVE-2023-0481	Quarkus 安全漏洞 — Quarkus	3.3	-	2023-02-24
CVE-2023-0482	Resteasy 安全漏洞 — RESTEasy	5.5	-	2023-02-17
CVE-2022-24411	Dell Technologies Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS	7.8	High	2022-04-12
CVE-2021-25654	Avaya Aura Device Services 代码注入漏洞 — Avaya Aura Devices Services	6.2	Medium	2021-06-25
CVE-2021-1426	Cisco AnyConnect Secure Mobility Client for Windows 代码问题漏洞 — Cisco AnyConnect Secure Mobility Client	7.0	High	2021-05-06
CVE-2021-1427	Cisco AnyConnect Secure Mobility Client for Windows 代码问题漏洞 — Cisco AnyConnect Secure Mobility Client	7.0	High	2021-05-06
CVE-2021-1496	Cisco AnyConnect Secure Mobility Client for Windows 代码问题漏洞 — Cisco AnyConnect Secure Mobility Client	7.0	High	2021-05-06
CVE-2021-1429	Cisco AnyConnect Secure Mobility Client for Windows 代码问题漏洞 — Cisco AnyConnect Secure Mobility Client	7.0	High	2021-05-06
CVE-2021-1430	Cisco AnyConnect Secure Mobility Client for Windows 代码问题漏洞 — Cisco AnyConnect Secure Mobility Client	7.0	High	2021-05-06
CVE-2021-1428	Cisco AnyConnect Secure Mobility Client for Windows 代码问题漏洞 — Cisco AnyConnect Secure Mobility Client	7.0	High	2021-05-06
CVE-2021-28168	Maxim Nesen jersey 安全漏洞 — Eclipse Jersey	6.2	Medium	2021-04-22
CVE-2021-25314	ClusterLabs Hawk 安全漏洞 — SUSE Linux Enterprise High Availability 12-SP3	7.8	High	2021-04-14

CWE-378（创建拥有不安全权限的临时文件）是常见的弱点类别，本平台收录该类弱点关联的 34 条 CVE 漏洞。

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

CWE-378 创建拥有不安全权限的临时文件 类漏洞列表 34

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

CWE-378 创建拥有不安全权限的临时文件类漏洞列表 34