Miggo Logo

CVE-2022-24913: Java Merge-sort Insecure Temporary File vulnerability

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.05025%
Published
1/12/2023
Updated
1/20/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.fasterxml.util:java-merge-sortmaven< 1.1.01.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is explicitly attributed to the StdTempFileProvider() function's use of File.createTempFile() in the advisory. The commit diff confirms the vulnerable code was located in the provide() method of StdTempFileProvider.java, where File.createTempFile() was replaced with the secure Files.createTempFile(). The CWE-377 classification directly maps to the insecure temporary file creation pattern demonstrated here.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** `*om.**st*rxml.util:j*v*-m*r**-sort` ***or* *.*.* *r* vuln*r**l* to Ins**ur* T*mpor*ry *il* in t** `St*T*mp*il*Provi**r()` *un*tion in `St*T*mp*il*Provi**r.j*v*`, w*i** us*s t** p*rmissiv* `*il*.*r**t*T*mp*il*()` *un*tion, *xp

Reasoning

T** vuln*r**ility is *xpli*itly *ttri*ut** to t** `St*T*mp*il*Provi**r()` *un*tion's us* o* `*il*.*r**t*T*mp*il*()` in t** **visory. T** *ommit *i** *on*irms t** vuln*r**l* *o** w*s lo**t** in t** `provi**()` m*t*o* o* `St*T*mp*il*Provi**r.j*v*`, w**