CVE-2021-22572

Published: Mar 29, 2022Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

On unix-like systems, the system temporary directory is shared between all users on that system. The root cause is File.createTempFile creates files in the the system temporary directory with world readable permissions. Any sensitive information written to theses files is visible to all other local users on unix-like systems. We recommend upgrading past commit https://github.com/google/data-transfer-project/pull/969

Affected (1)

Products: Google: Data Transfer Project

1 product

Data Transfer Project

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Google Data Transfer Project	Before 0.3.57

Related CWEs

Insecure Temporary File

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

References (4)

https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-22c6-wcjm-qfjg

Source: cve-coordination@google.com

Third Party Advisory

https://github.com/google/data-transfer-project/pull/969

Source: cve-coordination@google.com

PatchThird Party Advisory

https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-22c6-wcjm-qfjg

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/google/data-transfer-project/pull/969

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.