Miggo Logo
Miggo Vulnerability Database
CVE-2022-21126

CVE-2022-21126: HTSJDK is vulnerable to exposure of resource(s) to the wrong sphere

7.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-21126
GHSA ID
GHSA-96vh-4rfp-c42c
EPSS Score
0.14862%
CWE
CWE-668
Published
11/29/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.github.samtools:htsjdkmaven< 3.0.13.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the insecure implementation of createTempDir() in IOUtil.java, which used File.createTempFile() followed by deletion and directory creation. This approach is vulnerable to TOCTOU attacks and insecure permissions. The commit diff shows this function was deprecated and replaced with Files.createTempDirectory(), which securely handles directory creation. The CVE description and patch notes explicitly identify this function as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** *om.*it*u*.s*mtools:*tsj*k ***or* *.*.* *r* vuln*r**l* to *r**tion o* T*mpor*ry *il* in *ir**tory wit* Ins**ur* P*rmissions *u* to t** *r**t*T*mp*ir() *un*tion in util/IOUtil.j*v* not ****kin* *or t** *xist*n** o* t** t*mpor*ry *ir**tory

Reasoning

T** vuln*r**ility st*ms *rom t** ins**ur* impl*m*nt*tion o* `*r**t*T*mp*ir()` in `IOUtil.j*v*`, w*i** us** `*il*.*r**t*T*mp*il*()` *ollow** *y **l*tion *n* *ir**tory *r**tion. T*is *ppro*** is vuln*r**l* to TO*TOU *tt**ks *n* ins**ur* p*rmissions. T*