Google Git
Sign in
apache / openjpa / refs/heads/master
commit87e253b9e58a8f061b0431a1ab4df3e5e1660519[log] [tgz]
authorJonathan Leitschuh <Jonathan.Leitschuh@gmail.com>Fri Nov 18 22:42:52 2022 +0000
committerMark Struberg <struberg@yahoo.de>Tue Jul 22 20:22:11 2025 +0200
treedcd79dcd28a516e6a442c72b7d042439fca99656
parent87964e00c50f2b421c2b6685d66fce73512fb6e1 [diff]
vuln-fix: Temporary File Information Disclosure



This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18


Co-authored-by: Moderne <team@moderne.io>
2 files changed
tree: dcd79dcd28a516e6a442c72b7d042439fca99656
  1. .github/
  2. openjpa/
  3. openjpa-all/
  4. openjpa-examples/
  5. openjpa-features/
  6. openjpa-integration/
  7. openjpa-jdbc/
  8. openjpa-jest/
  9. openjpa-junit5/
  10. openjpa-kernel/
  11. openjpa-kubernetes/
  12. openjpa-lib/
  13. openjpa-persistence/
  14. openjpa-persistence-jdbc/
  15. openjpa-persistence-locking/
  16. openjpa-project/
  17. openjpa-slice/
  18. openjpa-tools/
  19. openjpa-xmlstore/
  20. scripts/
  21. src/
  22. .gitignore
  23. LICENSE
  24. NOTICE
  25. patchoj.py
  26. pom.xml
  27. README.adoc