CVE-2023-43123

On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems.<br /> <br /> The method File.createTempFile on unix-like systems creates a file with predefined name (so easily identifiable) and by default will create this file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other local users can read this information.<br /> <br /> File.createTempFile(String, String) will create a temporary file in the system temporary directory if the &amp;#39;java.io.tmpdir&amp;#39; system property is not explicitly set. <br /> <br /> This affects the class  https://github.com/apache/storm/blob/master/storm-core/src/jvm/org/apache/storm/utils/TopologySpoutLag.java#L99  and was introduced by  https://issues.apache.org/jira/browse/STORM-3123 <br /> <br /> In practice, this has a very limited impact as this class is used only if ui.disable.spout.lag.monitoring<br /> <br /> is set to false, but its value is true by default.<br /> Moreover, the temporary file gets deleted soon after its creation.<br /> <br /> The solution is to use  Files.createTempFile https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/nio/file/Files.html#createTempFile(java.lang.String,java.lang.String,java.nio.file.attribute.FileAttribute...)  instead.<br /> <br /> We recommend that all users upgrade to the latest version of Apache Storm.