Apache James MIME4J: Temporary File Information Disclosure in MIME4J TempFileStorageProvider
Description
Apache James MIME4J versions <=0.8.8 create temp files with overly permissive permissions, allowing local users to read them and disclose sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache James MIME4J versions <=0.8.8 create temp files with overly permissive permissions, allowing local users to read them and disclose sensitive information.
Vulnerability
MIME4J's TempFileStorageProvider creates temporary files with overly permissive permissions, potentially making them readable by other local users on the system [1][2]. This issue affects versions 0.8.8 and prior, and was tracked as MIME4J-322 [3].
Exploitation
Exploitation requires local access to the system where the MIME4J library is used. An attacker with a local user account can read temp files created during email processing, without needing authentication beyond the local account.
Impact
Successful exploitation leads to information disclosure of sensitive email content or attachments processed by applications using MIME4J.
Mitigation
The fix is implemented in version 0.8.9, which relies on Files.createTempFile with secure permissions [1]. Users are advised to upgrade to MIME4J 0.8.9 or later [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.james:apache-mime4j-storageMaven | < 0.8.9 | 0.8.9 |
Affected products
2- Range: 0
Patches
1021eb79ba312MIME4J-322 Rely on Files.createTempFile (#82)
1 file changed · +8 −1
storage/src/main/java/org/apache/james/mime4j/storage/TempFileStorageProvider.java+8 −1 modified@@ -26,8 +26,10 @@ import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; +import java.nio.file.Files; import java.util.HashSet; import java.util.Iterator; +import java.util.Optional; import java.util.Set; import org.apache.commons.io.FileUtils; @@ -107,7 +109,12 @@ public TempFileStorageProvider(String prefix, String suffix, File directory) { } public StorageOutputStream createStorageOutputStream() throws IOException { - File file = File.createTempFile(prefix, suffix, directory); + File file; + if (directory == null) { + file = Files.createTempFile(prefix, suffix).toFile(); + } else { + file = Files.createTempFile(directory.toPath(), prefix, suffix).toFile(); + } file.deleteOnExit(); return new TempFileStorageOutputStream(file);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-q84x-3476-8ff2ghsaADVISORY
- lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rjghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-45787ghsaADVISORY
- github.com/apache/james-mime4j/blob/master/CHANGELOG.mdghsaWEB
- github.com/apache/james-mime4j/commit/021eb79ba312fe5a7f99fa867ee5350aa5533069ghsaWEB
- issues.apache.org/jira/browse/MIME4J-322ghsaWEB
News mentions
0No linked articles in our index yet.