CVE-2021-22572

low-risk
Published 2022-03-29

On unix-like systems, the system temporary directory is shared between all users on that system. The root cause is File.createTempFile creates files in the the system temporary directory with world readable permissions. Any sensitive information written to theses files is visible to all other local users on unix-like systems. We recommend upgrading past commit https://github.com/google/data-transfer-project/pull/969

Do I need to act?

-
0.01% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Data Transfer Project

Affected Vendors

Google

References (4)

Third Party Advisory https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-22c6-w...
Patch https://github.com/google/data-transfer-project/pull/969
Third Party Advisory https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-22c6-w...
Patch https://github.com/google/data-transfer-project/pull/969
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal