Miggo Logo

CVE-2023-33695: Insecure Temporary File in HuTool

7.1

CVSS Score
3.1

Basic Information

EPSS Score
0.05342%
Published
6/13/2023
Updated
11/10/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
cn.hutool:hutool-coremaven< 5.8.195.8.19

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the use of File.createTempFile() in FileUtil.createTempFile. This method creates temporary files with predictable names and default permissions that may be accessible to other users (CWE-377, CWE-732). The patch replaced this with PathUtil.createTempFile(), which uses Files.createTempFile() with safer permissions. The commit diff explicitly shows the removal of File.createTempFile() in favor of a more secure alternative, confirming this as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*utool v*.*.** *n* **low w*s *is*ov*r** to *ont*in *n in*orm*tion *is*losur* vuln*r**ility vi* t** `*il*.*r**t*T*mp*il*()` *un*tion *t `/*or*/io/*il*Util.j*v*`.

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* `*il*.*r**t*T*mp*il*()` in `*il*Util.*r**t*T*mp*il*`. T*is m*t*o* *r**t*s t*mpor*ry *il*s wit* pr**i*t**l* n*m*s *n* ****ult p*rmissions t**t m*y ** ****ssi*l* to ot**r us*rs (*W*-***, *W*-***). T** p*t** r*pl*