Miggo Logo
Miggo Vulnerability Database
CVE-2022-24913

CVE-2022-24913: Java Merge-sort Insecure Temporary File vulnerability

5.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-24913
GHSA ID
GHSA-qxxc-7mq4-mf79
EPSS Score
0.05025%
CWE
CWE-377
Published
1/12/2023
Updated
1/20/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.fasterxml.util:java-merge-sortmaven< 1.1.01.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is explicitly attributed to the StdTempFileProvider() function's use of File.createTempFile() in the advisory. The commit diff confirms the vulnerable code was located in the provide() method of StdTempFileProvider.java, where File.createTempFile() was replaced with the secure Files.createTempFile(). The CWE-377 classification directly maps to the insecure temporary file creation pattern demonstrated here.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** `*om.**st*rxml.util:j*v*-m*r**-sort` ***or* *.*.* *r* vuln*r**l* to Ins**ur* T*mpor*ry *il* in t** `St*T*mp*il*Provi**r()` *un*tion in `St*T*mp*il*Provi**r.j*v*`, w*i** us*s t** p*rmissiv* `*il*.*r**t*T*mp*il*()` *un*tion, *xp

Reasoning

T** vuln*r**ility is *xpli*itly *ttri*ut** to t** `St*T*mp*il*Provi**r()` *un*tion's us* o* `*il*.*r**t*T*mp*il*()` in t** **visory. T** *ommit *i** *on*irms t** vuln*r**l* *o** w*s lo**t** in t** `provi**()` m*t*o* o* `St*T*mp*il*Provi**r.j*v*`, w**