CVE-2022-41954Sensitive Information Exposure in Mpxj

CWE-200Sensitive Information ExposureCWE-377Insecure Temporary FileCWE-668Resource Exposure6 documents5 sources
Severity
3.3LOWNVD
EPSS
0.0%
top 93.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Joniles MpxjMpxj
Timeline
PublishedNov 25
Latest updateOct 15

Description

MPXJ is an open source library to read and write project plans from a variety of file formats and databases. On Unix-like operating systems (not Windows or macos), MPXJ's use of `File.createTempFile(..)` results in temporary files being created with the permissions `-rw-r--r--`. This means that any other user on the system can read the contents of this file. When MPXJ is reading a schedule file which requires the creation of a temporary file or directory, a knowledgeable local user could locate

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages3 packages

NVDmpxj/mpxj< 10.14.1
PyPImpxj/mpxj< 287ad0234213c52b0638565e14bd9cf3ed44cedd+1
CVEListV5joniles/mpxj< 10.14.1

🔴Vulnerability Details

4
GHSA
Temporary File Information Disclosure vulnerability in MPXJ2022-11-28
OSV
Temporary File Information Disclosure vulnerability in MPXJ2022-11-28
OSV
CVE-2022-41954: MPXJ is an open source library to read and write project plans from a variety of file formats and databases2022-11-25
CVEList
Temporary File Information Disclosure Vulnerability2022-11-25

📋Vendor Advisories

1
Oracle
Oracle Oracle Construction and Engineering Risk Matrix: Platform (MPXJ) — CVE-2022-419542023-10-15
CVE-2022-41954 — Sensitive Information Exposure in Mpxj | cvebase