CVE-2023-33695
📋 TL;DR
Hutool versions 5.8.17 and below contain an information disclosure vulnerability where the File.createTempFile() function in FileUtil.java creates temporary files with insecure permissions. This allows local users to read sensitive data from temporary files created by the application. Any application using vulnerable Hutool versions is affected.
💻 Affected Systems
- Hutool
📦 What is this software?
Hutool by Hutool
⚠️ Risk & Real-World Impact
Worst Case
Attackers with local access could read sensitive application data, configuration files, or credentials stored in temporary files, potentially leading to privilege escalation or further system compromise.
Likely Case
Local users can read temporary files containing application data, which may include configuration details, partial data processing results, or other non-critical information.
If Mitigated
With proper file permission controls and secure temporary file handling, the impact is limited to reading only non-sensitive temporary data.
🎯 Exploit Status
Exploitation requires local access to the system. The vulnerability is well-documented in the GitHub issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v5.8.18 and above
Vendor Advisory: https://github.com/dromara/hutool/issues/3103
Restart Required: Yes
Instructions:
1. Update Hutool dependency to version 5.8.18 or higher. 2. Update pom.xml or build.gradle to reference the new version. 3. Rebuild and redeploy the application. 4. Restart any running services using Hutool.
🔧 Temporary Workarounds
Secure Temporary File Creation
allImplement custom temporary file creation with secure permissions instead of using Hutool's vulnerable FileUtil.createTempFile() method.
// Java code example:
File tempFile = File.createTempFile("prefix", ".suffix");
tempFile.setReadable(false, false);
tempFile.setWritable(false, false);
🧯 If You Can't Patch
- Implement application-level controls to avoid storing sensitive data in temporary files
- Use operating system file permission controls to restrict access to temporary directories
🔍 How to Verify
Check if Vulnerable:
Check if your application uses Hutool version 5.8.17 or below. Review code for usage of FileUtil.createTempFile() or related methods.Check Version:
For Maven: mvn dependency:tree | grep hutool
For Gradle: gradle dependencies | grep hutoolVerify Fix Applied:
Verify Hutool version is 5.8.18 or higher in your dependency management file and that the application no longer uses vulnerable temporary file creation patterns.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in temporary directories
- Multiple failed permission attempts on temporary files
Network Indicators:
- Not applicable - local vulnerability
SIEM Query:
source="*temp*" AND action="read" AND user NOT IN ("application_user", "system_user")