VYPR
← All advisories
Moderate severityOSV Advisory· Published Jan 12, 2023· Updated Apr 8, 2025

CVE-2022-24913

CVE-2022-24913

Description

Versions of the package com.fasterxml.util:java-merge-sort before 1.1.0 are vulnerable to Insecure Temporary File in the StdTempFileProvider() function in StdTempFileProvider.java, which uses the permissive File.createTempFile() function, exposing temporary file contents.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Insecure temporary file vulnerability in java-merge-sort before 1.1.0 due to permissive File.createTempFile() allows local attacker to read temporary files.

The vulnerability resides in the StdTempFileProvider() function in StdTempFileProvider.java. The function uses the Java method File.createTempFile(), which creates temporary files with default POSIX permissions that are often too permissive, potentially exposing their contents to other users on the same system [1][3].

An attacker with local access to the temporary directory can read the temporary file contents, as the files are not adequately secured at creation time. No authentication or special privileges beyond local user access are required to exploit this weakness.

Successful exploitation allows an attacker to read sensitive data stored in temporary files by the java-merge-sort library during sorting operations. This could lead to information disclosure of data being processed.

The issue is fixed in version 1.1.0 of com.fasterxml.util:java-merge-sort. The fix replaces File.createTempFile() with Files.createTempFile(), which sets appropriate POSIX permissions to restrict access to the file owner [4]. Users should upgrade to version 1.1.0 or later.

References
  1. NVD - CVE-2022-24913
  2. Snyk Vulnerability Database | Snyk
  3. [SECURITY] Fix Temporary File Information Disclosure Vulnerability by JLLeitschuh · Pull Request #21 · cowtowncoder/java-merge-sort

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.fasterxml.util:java-merge-sortMaven
< 1.1.01.1.0

Affected products

1

Patches

1
450fdee70b5f

vuln-fix: Temporary File Information Disclosure

https://github.com/cowtowncoder/java-merge-sortJonathan LeitschuhNov 19, 2022via ghsa
commit
1 file changed · +2 1
  • src/main/java/com/fasterxml/sort/std/StdTempFileProvider.java+2 1 modified
    @@ -1,6 +1,7 @@
 package com.fasterxml.sort.std;
 
 import java.io.*;
+import java.nio.file.Files;
 
 import com.fasterxml.sort.TempFileProvider;
 
@@ -35,7 +36,7 @@ public StdTempFileProvider(String prefix, String suffix) {
     @Override
     public File provide() throws IOException
     {
-        File f = File.createTempFile(_prefix, _suffix);
+        File f = Files.createTempFile(_prefix, _suffix).toFile();
         f.deleteOnExit();
         return f;
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.