Maven package
net.sf.mpxj/mpxj
pkg:maven/net.sf.mpxj/mpxj
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-49771 | Med | 5.3 | >= 8.3.5, < 13.5.1 | 13.5.1 | Oct 28, 2024 | MPXJ is an open source library to read and write project plans from a variety of file formats and databases. The patch for the historical vulnerability CVE-2020-35460 in MPXJ is incomplete as there is still a possibility that a malicious path could be constructed which would not | |
| CVE-2022-41954 | — | < 10.14.1 | 10.14.1 | Nov 25, 2022 | MPXJ is an open source library to read and write project plans from a variety of file formats and databases. On Unix-like operating systems (not Windows or macos), MPXJ's use of `File.createTempFile(..)` results in temporary files being created with the permissions `-rw-r--r--`. | ||
| CVE-2020-35460 | — | < 8.3.5 | 8.3.5 | Dec 14, 2020 | common/InputStreamHelper.java in Packwood MPXJ before 8.3.5 allows directory traversal in the zip stream handler flow, leading to the writing of files to arbitrary locations. | ||
| CVE-2020-25020 | — | < 8.1.4 | 8.1.4 | Aug 29, 2020 | MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components. |
- affected >= 8.3.5, < 13.5.1fixed 13.5.1
MPXJ is an open source library to read and write project plans from a variety of file formats and databases. The patch for the historical vulnerability CVE-2020-35460 in MPXJ is incomplete as there is still a possibility that a malicious path could be constructed which would not
- CVE-2022-41954Nov 25, 2022affected < 10.14.1fixed 10.14.1
MPXJ is an open source library to read and write project plans from a variety of file formats and databases. On Unix-like operating systems (not Windows or macos), MPXJ's use of `File.createTempFile(..)` results in temporary files being created with the permissions `-rw-r--r--`.
- CVE-2020-35460Dec 14, 2020affected < 8.3.5fixed 8.3.5
common/InputStreamHelper.java in Packwood MPXJ before 8.3.5 allows directory traversal in the zip stream handler flow, leading to the writing of files to arbitrary locations.
- CVE-2020-25020Aug 29, 2020affected < 8.1.4fixed 8.1.4
MPXJ through 8.1.3 allows XXE attacks. This affects the GanttProjectReader and PhoenixReader components.