Skip to main content

CVE-2025-48382: CWE-732: Incorrect Permission Assignment for Critical Resource in codelibs fess

Low
VulnerabilityCVE-2025-48382cvecve-2025-48382cwe-732
Published: Tue May 27 2025 (05/27/2025, 04:32:23 UTC)
Source: CVE Database V5
Vendor/Project: codelibs
Product: fess

Description

Fess is a deployable Enterprise Search Server. Prior to version 14.19.2, the createTempFile() method in org.codelibs.fess.helper.SystemHelper creates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local users to access sensitive data contained in these files. This issue primarily affects environments where Fess is deployed in a shared or multi-user context. Typical single-user or isolated deployments have minimal or negligible practical impact. This issue has been patched in version 14.19.2. A workaround for this issue involves ensuring local access to the environment running Fess is restricted to trusted users only.

AI-Powered Analysis

AILast updated: 07/11/2025, 11:02:31 UTC

Technical Analysis

CVE-2025-48382 is a vulnerability identified in the Enterprise Search Server product Fess, developed by codelibs. The issue arises from the createTempFile() method in the org.codelibs.fess.helper.SystemHelper class, which prior to version 14.19.2 creates temporary files without explicitly setting restrictive permissions. This improper permission assignment corresponds to CWE-732 (Incorrect Permission Assignment for Critical Resource). As a result, temporary files may be accessible by unauthorized local users, potentially leading to information disclosure of sensitive data contained within these files. The vulnerability is primarily relevant in environments where Fess is deployed on shared or multi-user systems, as unauthorized local users could exploit the weak permissions to access temporary files created by Fess. In isolated or single-user deployments, the practical risk is minimal or negligible. The vulnerability has been addressed in Fess version 14.19.2 by ensuring that temporary files are created with appropriate restrictive permissions. No known exploits are currently reported in the wild, and the CVSS v4.0 score is low (1.2), reflecting the limited attack vector (local access required), low complexity, and minimal impact on confidentiality, integrity, and availability. The vulnerability does not require authentication or user interaction but does require local access to the system running Fess. This issue highlights the importance of secure file permission management in enterprise applications, especially those deployed in multi-user environments.

Potential Impact

For European organizations, the impact of CVE-2025-48382 is generally low but context-dependent. Organizations deploying Fess in shared or multi-user environments—such as universities, research institutions, or large enterprises with multi-tenant servers—may face a risk of unauthorized local users accessing sensitive temporary files. This could lead to information disclosure, potentially exposing confidential search indexes, query logs, or other sensitive data processed by Fess. However, the vulnerability does not enable remote exploitation, does not affect system integrity or availability, and requires local access, limiting its impact primarily to insider threats or compromised local accounts. Organizations with strict access controls and isolated deployments are less likely to be affected. Given that Fess is an enterprise search server, the sensitivity of exposed data depends on the organization's use case. In regulated sectors such as finance, healthcare, or government within Europe, even limited information disclosure could have compliance implications under GDPR or sector-specific regulations. Overall, the threat is low severity but should not be ignored in environments where local user access is shared or insufficiently controlled.

Mitigation Recommendations

1. Upgrade to Fess version 14.19.2 or later, where the vulnerability has been patched by enforcing restrictive permissions on temporary files. 2. Restrict local system access to trusted users only, especially on servers running Fess in multi-user environments. Implement strict user account management and monitoring to prevent unauthorized local access. 3. Employ operating system-level access controls such as mandatory access control (e.g., SELinux, AppArmor) or filesystem ACLs to further restrict access to Fess temporary directories. 4. Regularly audit file permissions and temporary file creation behavior on servers hosting Fess to detect any deviations from secure configurations. 5. Consider isolating Fess deployments in containerized or virtualized environments with limited local user access to minimize exposure. 6. Monitor logs for unusual local access patterns or attempts to access temporary files. 7. Educate system administrators and security teams about the importance of secure file permission management in enterprise applications.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-05-19T15:46:00.397Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6835ae13182aa0cae20f9d8d

Added to database: 5/27/2025, 12:20:35 PM

Last enriched: 7/11/2025, 11:02:31 AM

Last updated: 8/4/2025, 2:26:10 PM

Views: 16

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats