Creating and using insecure temporary files can leave application and system data vulnerable to attack.
View on MITRENo mitigation information available for this CWE.
No detection method information available for this CWE.
The following code uses a temporary file for storing intermediate data gathered from the network before it is processed.
This otherwise unremarkable code is vulnerable to a number of different attacks because it relies on an insecure method for creating temporary files. The vulnerabilities introduced by this function and others are described in the following sections. The most egregious security problems related to temporary file creation have occurred on Unix-based operating systems, but Windows applications have parallel risks. This section includes a discussion of temporary file creation on both Unix and Windows systems. Methods and behaviors can vary between systems, but the fundamental risks introduced by each are reasonably constant.
A library uses the Java File.createTempFile() method which creates a file with "-rw-r--r--" default permissions on Unix-like operating systems
View DetailsNo relationship information available for this CWE.
CWE-377: Insecure Temporary File is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Creating and using insecure temporary files can leave application and system data vulnerable to attack.
If exploited, CWE-377 (Insecure Temporary File) it can compromise Confidentiality and Integrity, leading to outcomes such as Read Files or Directories and Modify Files or Directories.
CWE-377 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-377, including CVE-2022-41954. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-377 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.