Headline
CVE-2022-24913: Snyk Vulnerability Database | Snyk
Versions of the package com.fasterxml.util:java-merge-sort before 1.1.0 are vulnerable to Insecure Temporary File in the StdTempFileProvider() function in StdTempFileProvider.java, which uses the permissive File.createTempFile() function, exposing temporary file contents.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications
- Snyk ID SNYK-JAVA-COMFASTERXMLUTIL-3227926
- published 11 Jan 2023
- disclosed 11 Jan 2023
- credit Jonathan Leitschuh
How to fix?
Upgrade com.fasterxml.util:java-merge-sort to version 1.1.0 or higher.
Overview
com.fasterxml.util:java-merge-sort is a package for basic configurable disk-backed N-way merge sort
Affected versions of this package are vulnerable to Insecure Temporary File. in the StdTempFileProvider() function in StdTempFileProvider.java, which uses the permissive File.createTempFile() function, exposing temporary file contents.
Related news
Versions of the package `com.fasterxml.util:java-merge-sort` before 1.1.0 are vulnerable to Insecure Temporary File in the `StdTempFileProvider()` function in `StdTempFileProvider.java`, which uses the permissive `File.createTempFile()` function, exposing temporary file contents.