2.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-41954

CVE-2022-41954: Temporary File Information Disclosure vulnerability in MPXJ

Impact

On Unix-like operating systems (not Windows or macos), MPXJ's use of File.createTempFile(..) results in temporary files being created with the permissions -rw-r--r--. This means that any other user on the system can read the contents of this file. When MPXJ is reading a type of schedule file which requires the creation of a temporary file or directory, a knowledgeable local user could locate these transient files while they are in use and would then be able to read the schedule being processed by MPXJ.

Patches

The problem has been patched, MPXJ version 10.14.1 and later includes the necessary changes.

Workarounds

Setting java.io.tmpdir to a directory to which only the user running the application has access will prevent other users from accessing these temporary files.

For more information

If you have any questions or comments about this advisory

Open an issue in https://github.com/joniles/mpxj

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-41954

CVE-2022-41954:

2.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
net.sf.mpxj:mpxj	maven	< 10.14.1	10.14.1
net.sf.mpxj	nuget	< 10.14.1	10.14.1
net.sf.mpxj-for-csharp	nuget	< 10.14.1	10.14.1
net.sf.mpxj-for-vb	nuget	< 10.14.1	10.14.1
mpxj	pip	< 10.14.1	10.14.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using File.createTempFile() which doesn't set secure permissions on Unix systems. The commit diff shows these two functions were patched by replacing File.createTempFile() with Files.createTempFile() which handles permissions correctly. These are the core functions handling temporary file creation for schedule processing, directly matching the vulnerability description about transient files being readable by other users.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

2.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-41954: Temporary File Information Disclosure vulnerability in MPXJ

Impact

Patches

Workarounds

For more information

CVE-2022-41954:

2.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

2.8

2.8

CVE-2022-41954: Temporary File Information Disclosure vulnerability in MPXJ

Impact

Patches

Workarounds

For more information

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI