CVE Vulnerability

CVE-2022-24913

Versions of the package com.fasterxml.util:java-merge-sort before 1.1.0 are vulnerable to Insecure Temporary File in the StdTempFileProvider() function in StdTempFileProvider.java, which uses the permissive File.createTempFile() function, exposing temporary file contents.

5.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLUTIL-3227926 Third Party Advisory
https://github.com/cowtowncoder/java-merge-sort/pull/21 Patch Third Party Advisory
https://github.com/cowtowncoder/java-merge-sort/commit/450fdee70b5f181c2afc5d817f293efa1a543902 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:java-merge-sort_project:java-merge-sort:*:*:*:*:*:*:*:*
Information

Published : 2023-01-12 05:15

Updated : 2023-01-20 07:46

NVD link : CVE-2022-24913

Mitre link : CVE-2022-24913

Products Affected
No products.
CWE
CWE-668