search

matteobaccan / quarkus-boilerplate

A simple quarkus repository
GNU General Public License v3.0
0 stars 0 forks source link

CVE-2023-0482 (Medium) detected in resteasy-core-4.7.4.Final.jar - autoclosed #21

Closed mend-bolt-for-github[bot] closed 10 months ago

mend-bolt-for-github[bot] commented 10 months ago

CVE-2023-0482 - Medium Severity Vulnerability

Vulnerable Library - resteasy-core-4.7.4.Final.jar

Library home page: https://jboss.org/resteasy

Path to dependency file: /code-with-quarkus/pom.xml

Path to vulnerable library: /code-with-quarkus/pom.xml

Dependency Hierarchy: - quarkus-resteasy-2.6.1.Final.jar (Root Library) - quarkus-resteasy-server-common-2.6.1.Final.jar - quarkus-resteasy-common-2.6.1.Final.jar - :x: **resteasy-core-4.7.4.Final.jar** (Vulnerable Library)

Found in HEAD commit: dccf25693a7d87806c3afedcf6b541f33132bbce

Found in base branch: main

Vulnerability Details

In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.

Publish Date: 2023-02-17

URL: CVE-2023-0482

CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] commented 10 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.