CVE-2022-41954: Temporary File Information Disclosure vulnerability in MPXJ
(updated )
On Unix-like operating systems (not Windows or macos), MPXJ’s use of File.createTempFile(..) results in temporary files being created with the permissions -rw-r--r--. This means that any other user on the system can read the contents of this file. When MPXJ is reading a type of schedule file which requires the creation of a temporary file or directory, a knowledgeable local user could locate these transient files while they are in use and would then be able to read the schedule being processed by MPXJ.
References
- github.com/advisories/GHSA-jf2p-4gqj-849g
- github.com/joniles/mpxj
- github.com/joniles/mpxj/commit/287ad0234213c52b0638565e14bd9cf3ed44cedd
- github.com/joniles/mpxj/commit/ae0af24345d79ad45705265d9927fe55e94a5721
- github.com/joniles/mpxj/security/advisories/GHSA-jf2p-4gqj-849g
- github.com/pypa/advisory-database/tree/main/vulns/mpxj/PYSEC-2022-42996.yaml
- nvd.nist.gov/vuln/detail/CVE-2022-41954
Detect and mitigate CVE-2022-41954 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →