CVE-2021-22572 is a vulnerability in Google Data Transfer Project
Published on March 29, 2022
Data-transfer-project information disclosure via tmp directory
On unix-like systems, the system temporary directory is shared between all users on that system. The root cause is File.createTempFile creates files in the the system temporary directory with world readable permissions. Any sensitive information written to theses files is visible to all other local users on unix-like systems. We recommend upgrading past commit https://github.com/google/data-transfer-project/pull/969
Vulnerability Analysis
CVE-2021-22572 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Insecure Temporary File
Creating and using insecure temporary files can leave application and system data vulnerable to attack.
Products Associated with CVE-2021-22572
Want to know whenever a new CVE is published for Google Data Transfer Project? stack.watch will email you.
Affected Versions
Google LLC Data-Transfer-Project:- Version unspecified and below 0.3.57 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.