[jenkinsci/compress-artifacts-plugin] 767887: vuln-fix: Temporary File Information Disclosure

Sat, 10 Dec 2022 02:34:42 -0800 

  Branch: refs/heads/master

  Home:   https://github.com/jenkinsci/compress-artifacts-plugin

  Commit: 767887175d9932a65d30057fb82b77acc8f53c73

      
https://github.com/jenkinsci/compress-artifacts-plugin/commit/767887175d9932a65d30057fb82b77acc8f53c73

  Author: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>

  Date:   2022-11-19 (Sat, 19 Nov 2022)



  Changed paths:

    M 
src/test/java/org/jenkinsci/plugins/compress_artifacts/CompressionInteropTest.java



  Log Message:

  -----------

  vuln-fix: Temporary File Information Disclosure







This fixes temporary file information disclosure vulnerability due to the use

of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by

using the `Files.createTempFile()` method which sets the correct posix 
permissions.



Weakness: CWE-377: Insecure Temporary File

Severity: Medium

CVSSS: 5.5

Detection: CodeQL & OpenRewrite 
(https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)



Reported-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>

Signed-off-by: Jonathan Leitschuh <jonathan.leitsc...@gmail.com>



Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18





Co-authored-by: Moderne <t...@moderne.io>





  Commit: 21f89e3847c10a1f54ab23488661f581c7d6491c

      
https://github.com/jenkinsci/compress-artifacts-plugin/commit/21f89e3847c10a1f54ab23488661f581c7d6491c

  Author: Oliver Gondža <ogon...@gmail.com>

  Date:   2022-12-10 (Sat, 10 Dec 2022)



  Changed paths:

    M 
src/test/java/org/jenkinsci/plugins/compress_artifacts/CompressionInteropTest.java



  Log Message:

  -----------

  Merge pull request #13 from 
BulkSecurityGeneratorProjectV2/fix/JLL/temporary_file_local_information_disclosure



[SECURITY] Fix Temporary File Information Disclosure Vulnerability





Compare: 
https://github.com/jenkinsci/compress-artifacts-plugin/compare/b20f3c77ddf7...21f89e3847c1

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Commits" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-commits+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-commits/jenkinsci/compress-artifacts-plugin/push/refs/heads/master/b20f3c-21f89e%40github.com.

Reply via email to