CVE-2023-6917

performancecopilot/pcp is vulnerable to Creation of Temporary File With Insecure Permissions. The vulnerability is due to the mixed privilege levels utilized by systemd services associated with the package. While certain services operate within the confines of limited user/group privileges, others are granted full root privileges. This disparity in privilege levels poses a risk when privileged root processes interact with directories or directory trees owned by unprivileged users. Specifically, this may lead to the compromise of user isolation and facilitate local-to-root exploits, particularly through symlink attacks.