CVE-2022-3952 : A vulnerability has been found in ManyDesigns Portofino 5.3.2 and classified as

A vulnerability has been found in ManyDesigns Portofino 5.3.2 and classified as problematic. Affected by this vulnerability is the function createTempDir of the file WarFileLauncher.java. The manipulation leads to creation of temporary file in directory with insecure permissions. Upgrading to version 5.3.3 is able to address this issue. The name of the patch is 94653cb357806c9cf24d8d294e6afea33f8f0775. It is recommended to upgrade the affected component. The identifier VDB-213457 was assigned to this vulnerability.

Published 2022-11-11 14:15:11

Updated 2022-11-15 20:47:23

Source VulDB

View at NVD, CVE.org

Products affected by CVE-2022-3952

Manydesigns » Portofino » Version: 5.3.2
cpe:2.3:a:manydesigns:portofino:5.3.2:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-3952

EPSS FAQ

0.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 4 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-3952

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.6	LOW	CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N	1.2	1.4	VulDB
Attack Vector: Adjacent Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
7.1	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N	1.8	5.2	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2022-3952

CWE-377 Insecure Temporary File

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

Assigned by: cna@vuldb.com (Secondary)
CWE-379 Creation of Temporary File in Directory with Insecure Permissions

The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

Assigned by: cna@vuldb.com (Secondary)
CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-3952

https://github.com/ManyDesigns/Portofino/releases/tag/v5.3.3

Release v5.3.3 · ManyDesigns/Portofino · GitHub
Release Notes;Third Party Advisory
https://github.com/ManyDesigns/Portofino/pull/580

[SECURITY] Fix Temporary Directory Hijacking or Information Disclosure Vulnerability by JLLeitschuh · Pull Request #580 · ManyDesigns/Portofino · GitHub
Exploit;Patch;Third Party Advisory
https://vuldb.com/?id.213457

Login required
Third Party Advisory
https://github.com/ManyDesigns/Portofino/commit/94653cb357806c9cf24d8d294e6afea33f8f0775

vuln-fix: Temporary Directory Hijacking or Information Disclosure · ManyDesigns/Portofino@94653cb · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-3952

Products affected by CVE-2022-3952

Exploit prediction scoring system (EPSS) score for CVE-2022-3952

CVSS scores for CVE-2022-3952

CWE ids for CVE-2022-3952

References for CVE-2022-3952