CVE-2023-43123

Name of the Vulnerable Software and Affected Versions Apache Storm (affected versions not specified)

Description The issue is related to insufficient access control in the Apache Storm platform for distributed stream computing on UNIX-like systems. This can lead to information disclosure when writing to the temporary directory using APIs that do not explicitly set file or directory permissions. The method File.createTempFile creates a file with predefined name and default permissions -rw-r--r--, allowing other local users to read sensitive information written to this file. The impact is limited as the affected class is used only when ui.disable.spout.lag.monitoring is set to false, which is true by default, and the temporary file is deleted soon after creation.

Recommendations To resolve the issue, use Files.createTempFile instead of File.createTempFile to create temporary files with explicit permissions. As a temporary workaround, consider restricting access to the temporary directory until the issue is resolved. We recommend that all users upgrade to the latest version of Apache Storm.