5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-45787

GHSA ID

GHSA-q84x-3476-8ff2

EPSS Score

0.00327%

CWE

CWE-200

Published

1/6/2023

Updated

11/15/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-45787

CVE-2022-45787: Apache James MIME4J vulnerable to information disclosure to local users

Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions. We recommend users to upgrade to MIME4j version 0.8.9 or later.

(GitHub Advisory)

5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-45787

GHSA ID

GHSA-q84x-3476-8ff2

EPSS Score

0.00327%

CWE

CWE-200

Published

1/6/2023

Updated

11/15/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.james:apache-mime4j-storage	maven	< 0.8.9	0.8.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper temporary file permissions. The patch explicitly replaces File.createTempFile() with Files.createTempFile(), which has better permission controls. The original implementation's use of File.createTempFile() created files with globally readable permissions (rw-r--r--), exposing sensitive data to local users. The function createStorageOutputStream directly handled temp file creation with this vulnerable method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Unprop*r l*xist p*rmissions on t** t*mpor*ry *il*s us** *y MIM**J T*mp*il*Stor***Provi**r m*y l*** to in*orm*tion *is*losur* to ot**r lo**l us*rs. T*is issu* *****ts *p**** J*m*s MIM**J v*rsion *.*.* *n* prior v*rsions. W* r**omm*n* us*rs to up*r***

Reasoning

T** vuln*r**ility st*ms *rom improp*r t*mpor*ry *il* p*rmissions. T** p*t** *xpli*itly r*pl***s `*il*.*r**t*T*mp*il*()` wit* `*il*s.*r**t*T*mp*il*()`, w*i** **s **tt*r p*rmission *ontrols. T** ori*in*l impl*m*nt*tion's us* o* `*il*.*r**t*T*mp*il*()`

5.5

Basic Information

Concerned about an active attack path?

CVE-2022-45787: Apache James MIME4J vulnerable to information disclosure to local users

5.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI