Thank you @fossfreedom and everyone involved in addressing these issues \o/
Patches and CVEs are released so I am making this issue public.
I re-assessed all CVEs to the same CVSS. I also removed the suggested mitigation text and user-specific text in the CVE metadata--many applications have access to /tmp/ in addition to other user accounts.
If the reporter for the first two CVEs is added to GHSA, I can update the CVE metadata to attribute them.
Thank you @fossfreedom and everyone involved in addressing these issues \o/
Patches and CVEs are released so I am making this issue public.
I re-assessed all CVEs to the same CVSS. I also removed the suggested mitigation text and user-specific text in the CVE metadata--many applications have access to /tmp/ in addition to other user accounts.
If the reporter for the first two CVEs is added to GHSA, I can update the CVE metadata to attribute them.