Vulnerability: java-merge-sort <1.1.0, Insecure Temp File via StdTempFileProvider
CVE-2022-24913 Published on January 12, 2023
Versions of the package com.fasterxml.util:java-merge-sort before 1.1.0 are vulnerable to Insecure Temporary File in the StdTempFileProvider() function in StdTempFileProvider.java, which uses the permissive File.createTempFile() function, exposing temporary file contents.
Vulnerability Analysis
CVE-2022-24913 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Types
Insecure Temporary File
Creating and using insecure temporary files can leave application and system data vulnerable to attack.
Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Products Associated with CVE-2022-24913
Want to know whenever a new CVE is published for Java Merge Sortproject Java Merge Sort? stack.watch will email you.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.