CVE-2021-22572: Exposure of Resource to Wrong Sphere

March 29, 2022 (updated May 10, 2022)

On unix-like systems, the system temporary directory is shared between all users on that system. The root cause is File.createTempFile creates files in the the system temporary directory with world readable permissions. Any sensitive information written to theses files is visible to all other local users on unix-like systems. We recommend upgrading past commit https://github.com/google/data-transfer-project/pull/969

References

github.com/google/data-transfer-project/pull/969
nvd.nist.gov/vuln/detail/CVE-2021-22572

Detect and mitigate CVE-2021-22572 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →