CWE-378: Creation of Temporary File With Insecure Permissions

BaseDraftExploit Likelihood: High

Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-378: Creation of Temporary File With Insecure Permissions?+

CWE-378: Creation of Temporary File With Insecure Permissions is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.

What are the security consequences of Creation of Temporary File With Insecure Permissions?+

If exploited, CWE-378 (Creation of Temporary File With Insecure Permissions) it can compromise Confidentiality, Authorization, Other and Integrity, leading to outcomes such as Read Application Data and Other.

How do you prevent or mitigate Creation of Temporary File With Insecure Permissions?+

Recommended mitigations for CWE-378 include: Many contemporary languages have functions which properly handle this condition. Older C temp file functions are especially susceptible. Ensure that you use proper file permissions. This can be achieved by using a safe temp file function. Temporary files should be writable and readable only by the process that owns the file. Randomize temporary file names. This can also be achieved by using a safe temp-file function. This will ensure that temporary files will not be created in predictable places.

Which programming languages are affected by Creation of Temporary File With Insecure Permissions?+

CWE-378 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Creation of Temporary File With Insecure Permissions?+

MITRE documents real CVEs mapped to CWE-378, including CVE-2022-24823. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-378 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More