Skip to content

Insecure Temporary File in google / data-transfer-project

Moderate
JLLeitschuh published GHSA-22c6-wcjm-qfjg Mar 9, 2022

Package

google / data-transfer-project (None)

Affected versions

< 0.3.57

Patched versions

0.3.57

Description

Impact

Information downloaded with the google/data-transfer-project may expose downloaded information to other local users.

Prerequisites

This vulnerability impacts Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.

Patches

Updates to version 0.3.57 or higher.

Additional Information

Workarounds

Setting the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems.

Severity

Moderate
5.0
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CVE ID

CVE-2021-22572

Weaknesses

Credits