Sensitive Information Disclosure Due to Weak Permissions in a Short Time Window
A vulnerability in the Intel Neural Compressor's configuration handling could lead to sensitive information disclosure due to a TOCTOU (Time-of-Check Time-of-Use) race condition. The issue, present in the master version, was patched in version 2.5.0. It arises from writing sensitive information to a file before adjusting its permissions, creating a window where the data could be accessed unauthorizedly.
Available publicly on May 15 2024
Remediation Steps
- Update to Intel Neural Compressor version 2.5.0 or later.
- Review and monitor file system security policies to prevent unauthorized access.
- Consider implementing atomic operations for file write and permission change to eliminate the TOCTOU vulnerability window.
- Regularly audit and test for race condition vulnerabilities in software handling sensitive information.
Patch Details
- Fixed Version: 2.5.0
- Patch Commit: https://github.com/intel/neural-compressor/commit/24419c9044fe227ea806db370c1a30272d026f8a
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.