CVE-2023-33251

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-33251

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33251.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-33251

Published

2023-05-21T21:15:08.790Z

Modified

2026-04-10T04:58:43.934698Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

When Akka HTTP before 10.5.2 accepts file uploads via the FileUploadDirectives.fileUploadAll directive, the temporary file it creates has too weak permissions: it is readable by other users on Linux or UNIX, a similar issue to CVE-2022-41946.

References

Affected packages

Git / github.com/akka/akka-http

Affected ranges

Type

GIT

Repo

https://github.com/akka/akka-http

Events

Introduced

Fixed

ece6aa991378ce92d0fa1e2ac06cb92c6fb5f03b

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "10.5.2"
        }
    ]
}

Affected versions

imported-from-v2.*

imported-from-v2.4.11

v10.*

v10.0.0

v10.0.0-RC2

v10.0.1

v10.0.10

v10.0.11

v10.0.3

v10.0.4

v10.0.5

v10.0.6

v10.0.7

v10.0.8

v10.0.9

v10.1.0

v10.1.0-RC1

v10.1.0-RC2

v10.1.1

v10.1.10

v10.1.11

v10.1.2

v10.1.3

v10.1.4

v10.1.5

v10.1.6

v10.1.7

v10.1.8

v10.1.9

v10.2.0

v10.2.0-M1

v10.2.0-RC1

v10.2.0-RC2

v10.2.1

v10.2.10

v10.2.2

v10.2.3

v10.2.4

v10.2.5

v10.2.5-M1

v10.2.5-M2

v10.2.6

v10.2.7

v10.2.8

v10.2.9

v10.4.0

v10.4.0-M1

v10.4.0-M2

v10.5.0

v10.5.0-M1

v10.5.1

v3.*

v3.0.0-RC1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33251.json"