Miggo Logo
Miggo Vulnerability Database
CVE-2023-33695

CVE-2023-33695: Insecure Temporary File in HuTool

7.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-33695
GHSA ID
GHSA-7mcw-xmx3-7p8m
EPSS Score
0.05342%
CWE
CWE-377
Published
6/13/2023
Updated
11/10/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
cn.hutool:hutool-coremaven< 5.8.195.8.19

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the use of File.createTempFile() in FileUtil.createTempFile. This method creates temporary files with predictable names and default permissions that may be accessible to other users (CWE-377, CWE-732). The patch replaced this with PathUtil.createTempFile(), which uses Files.createTempFile() with safer permissions. The commit diff explicitly shows the removal of File.createTempFile() in favor of a more secure alternative, confirming this as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*utool v*.*.** *n* **low w*s *is*ov*r** to *ont*in *n in*orm*tion *is*losur* vuln*r**ility vi* t** `*il*.*r**t*T*mp*il*()` *un*tion *t `/*or*/io/*il*Util.j*v*`.

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* `*il*.*r**t*T*mp*il*()` in `*il*Util.*r**t*T*mp*il*`. T*is m*t*o* *r**t*s t*mpor*ry *il*s wit* pr**i*t**l* n*m*s *n* ****ult p*rmissions t**t m*y ** ****ssi*l* to ot**r us*rs (*W*-***, *W*-***). T** p*t** r*pl*