First published: Fri Nov 25 2022(Updated: )
### Impact On Unix-like operating systems (not Windows or macos), MPXJ's use of `File.createTempFile(..)` results in temporary files being created with the permissions `-rw-r--r--`. This means that any other user on the system can read the contents of this file. When MPXJ is reading a type of schedule file which requires the creation of a temporary file or directory, a knowledgeable local user could locate these transient files while they are in use and would then be able to read the schedule being processed by MPXJ. ### Patches The problem has been patched, MPXJ version 10.14.1 and later includes the necessary changes. ### Workarounds Setting `java.io.tmpdir` to a directory to which only the user running the application has access will prevent other users from accessing these temporary files. ### For more information If you have any questions or comments about this advisory * Open an issue in https://github.com/joniles/mpxj
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
pip/mpxj | <10.14.1 | 10.14.1 |
nuget/net.sf.mpxj-for-vb | <10.14.1 | 10.14.1 |
nuget/net.sf.mpxj-for-csharp | <10.14.1 | 10.14.1 |
nuget/net.sf.mpxj | <10.14.1 | 10.14.1 |
maven/net.sf.mpxj:mpxj | <10.14.1 | 10.14.1 |
MPXJ | <10.14.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2022-41954 is low with a CVSS score of 3.3.
CVE-2022-41954 impacts Unix-like operating systems by creating temporary files with insecure permissions that can be read by any user on the system.
CVE-2022-41954 affects versions up to exclusive 10.14.1 of the MPXJ library.
To fix CVE-2022-41954, update the MPXJ library to version 10.14.1 or higher.
You can find more information about CVE-2022-41954 on the GitHub security advisory page and the NVD vulnerability detail page.