Primary

Context

Fess Insecure Temporary File Permissions Vulnerability Allowing Information Disclosure

Vulnerability

Patched

A vulnerability exists in Fess versions prior to 14.19.2, where the createTempFile() method in the SystemHelper class generates temporary files without setting restrictive permissions. This oversight could lead to unauthorized access to sensitive data in these files by local users. The issue is most significant in shared or multi-user environments, while single-user deployments are less impacted.

Impact

Exploitation of this vulnerability could allow unauthorized local users to access sensitive information from temporary files created by Fess.

Remediation

Users can upgrade to Fess version 14.19.2 or later to address this vulnerability. For those unable to upgrade, it is recommended to restrict local access to the Fess environment to trusted users only.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

4.5

remediation

7.9

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

2.5

exploitability

4.5

remediation

7.9

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Fess Insecure Temporary File Permissions Vulnerability Allowing Information Disclosure

Vulnerability

Impact

Remediation

Affected Products

org.codelibs.fess

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating