CVE-2022-41954: MPXJ Library Temporary File Permissions Vulnerability on Unix-like Systems

CVE-2022-41954 is a security vulnerability found in MPXJ, an open-source library for reading and writing project plans from various file formats and databases. This post will provide detailed information about this vulnerability, including code snippets, links to original references, and exploit details.

Vulnerability Overview

MPXJ's use of File.createTempFile(..) on Unix-like operating systems (excluding Windows and macOS) leads to the creation of temporary files with the permissions -rw-r--r--. As a result, any user on the system can read the contents of these temporary files. When MPXJ reads a schedule file that requires the creation of a temporary file or directory, a knowledgeable local user could locate these transient files and access the schedule being processed by MPXJ.

This vulnerability affects MPXJ versions up to 10.14. and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2022-41954.

Here is a simple code snippet that demonstrates the creation of a temporary file using MPXJ

import java.io.File;
import java.io.IOException;

public class TempFileDemo {
    public static void main(String[] args) {
        try {
            File tempFile = File.createTempFile("MPXJTempFile", ".tmp");
            System.out.println("Temporary file created: " + tempFile.getAbsolutePath());
            // Your MPXJ-related code here
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

This code creates a temporary file with the permissions -rw-r--r--, which can be read by any user on a Unix-like system.

References and Patch Details

The MPXJ project has acknowledged and fixed this vulnerability. MPXJ version 10.14.1 and later include the necessary changes. Users who cannot upgrade to the latest version can set java.io.tmpdir to a directory that only the user running the application has access to, which will prevent other users from accessing temporary files created by MPXJ. Setting the java.io.tmpdir system property can be done like this:

System.setProperty("java.io.tmpdir", "/path/to/your/secure/temp/directory");

The original references regarding this vulnerability can be found in the following links

- MPXJ Changelog
- MPXJ GitHub Issue
- CVE-2022-41954 NVD Entry

Exploit Details

To exploit this vulnerability, an attacker with local access to the affected Unix-like system would need to:

Locate temporary files created by MPXJ using system tools such as find or lsof.

3. Read the contents of these temporary files while they are in use, potentially gaining access to sensitive project data.

It is essential to upgrade to MPXJ version 10.14.1 or later and/or secure the temporary directory to prevent exploitation of this vulnerability.

Timeline

Published on: 11/25/2022 19:15:00 UTC
Last modified on: 07/06/2023 13:41:00 UTC