Skip to main content

Red Hat CVE-2023-38037

MEDIUM
Incorrect Permission Assignment for Critical Resource (CWE-732)
2025-01-09 support@hackerone.com
5.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
SUSE
MEDIUM
qualitative
Red Hat
3.3 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 28, 2026 - 18:02 vuln.today
CVE Published
Jan 09, 2025 - 01:15 nvd
MEDIUM 5.5

DescriptionCVE.org

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file's permissions are defaulted to the user's current umask settings, meaning that it's possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

AnalysisAI

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. Rated medium severity (CVSS 5.5). This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

Technical ContextAI

This vulnerability is classified as Incorrect Permission Assignment (CWE-732), which allows attackers to access resources due to misconfigured permissions. ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file's permissions are defaulted to the user's current umask settings, meaning that it's possible for other users on the same system to read the contents of the temporary file. Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it. All users running an affected release should either upgrade or use one of the workarounds immediately.

Affected ProductsAI

See vendor advisory for affected versions.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Review and restrict file/resource permissions, apply principle of least privilege.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Package Hub 15 SP5 Fixed
openSUSE Leap 15.5 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
openSUSE Leap 15.6 Fixed

Share

CVE-2023-38037 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy