Sightline

Medium

setuptools

Insecure Temporary File Creation

A vulnerability in versions <=69.4.2 of the setuptools package allows for insecure temporary file creation using the deprecated tempfile.mktemp() function. This issue was patched in version 70.0.1.

Available publicly on Aug 05 2024 | Available with Premium on Jun 10 2024

CVE:

No CVE

CWE:

377:Insecure Temporary File

CVSS:

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Credit:

h2oa

Assess Detect

Unavailable

Remediate

Remediation Steps

Upgrade to setuptools version 70.0.1 or later.
Replace any usage of tempfile.mktemp() with tempfile.mkstemp() to ensure secure temporary file creation.
Review code for other instances of insecure temporary file creation and update accordingly.

Patch Details

Fixed Version: 70.0.1
Patch Commit: https://github.com/pypa/setuptools/commit/f91fa3d9fc7262e0467e4b2f84fe463f8f8d23cf

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 436- related security advisories that are available with Sightline Premium.