Insecure Temporary File Permissions in Fess
Description
|
hi Shinsuke Sugaya,
Thanks for getting back to me regarding the vulnerability, and implementing
the fix in your code! I would like to inquire whether it's possible to
credit ***@***.*** for the finding also, as I'm part of this
project to identify vulnerabilities in repositories and escalate them for
safer code practices.
Thank you!
Best Regards,
Sim Yee
…On Thu, May 22, 2025 at 7:57 AM Shinsuke Sugaya ***@***.***> wrote:
Thank you for reporting this issue. While the typical deployment scenario
of Fess does not involve shared or multi-user environments, we acknowledge
that restrictive temporary file permissions are security best practices. We
have implemented the recommended fix and it will be included in the next
release.
—
Reply to this email directly, view it on GitHub
<https://github.com/codelibs/fess/security/advisories/GHSA-g88v-2j67-9rmx#advisory-comment-127663>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BA2JKJSECKC4PO4FQME3XBT27UHHTAVCNFSM6AAAAAB5LNKIDCVHI2DSMVQWIX3LMV45UABAKJSXA33TNF2G64TZIFSHM2LTN5ZHSQ3PNVWWK3TUHMYTENZWGYZQ>
.
You are receiving this because you are either an administrator on
codelibs/fess, or a collaborator on GHSA-g88v-2j67-9rmx.Message ID:
***@***.***>
|
Credits
-
simei2k Reporter
Summary
Fess (an open-source Enterprise Search Server) creates temporary files without restrictive permissions, which may allow local attackers to read sensitive information from these temporary files.
Details
The
createTempFile()method inorg.codelibs.fess.helper.SystemHelpercreates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local users to access sensitive data contained in these files.Impact
This issue primarily affects environments where Fess is deployed in a shared or multi-user context. Typical single-user or isolated deployments have minimal or negligible practical impact.
Workarounds
Ensure local access to the environment running Fess is restricted to trusted users only.
References