Description
Versions of the package com.fasterxml.util:java-merge-sort before 1.1.0 are vulnerable to Insecure Temporary File in the StdTempFileProvider() function in StdTempFileProvider.java, which uses the permissive File.createTempFile() function, exposing temporary file contents.
Remediation
References
https://github.com/cowtowncoder/java-merge-sort/commit/450fdee70b5f181c2afc5d817f293efa1a543902
https://github.com/cowtowncoder/java-merge-sort/pull/21
https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLUTIL-3227926
Related Vulnerabilities
CVE-2016-0762 Vulnerability in maven package org.apache.tomcat:catalina
CVE-2019-5427 Vulnerability in maven package com.mchange:c3p0
CVE-2022-22912 Vulnerability in npm package plist
CVE-2022-47551 Vulnerability in maven package io.apiman:apiman-manager-api-beans
CVE-2013-4378 Vulnerability in maven package net.bull.javamelody:javamelody-core