Advisories for Maven/Net.sf.mpxj/Mpxj package

MPXJ is an open source library to read and write project plans from a variety of file formats and databases. On Unix-like operating systems (not Windows or macos), MPXJ's use of File.createTempFile(..) results in temporary files being created with the permissions -rw-r–r–. This means that any other user on the system can read the contents of this file. When MPXJ is reading a schedule file which requires the creation of …

common/InputStreamHelper.java in Packwood MPXJ allows directory traversal in the zip stream handler flow, leading to the writing of files to arbitrary locations.

MPXJ suffers from XXE vulnerabilities. This affects the GanttProjectReader and PhoenixReader components.