{"id":"CVE-2022-24913","details":"Versions of the package com.fasterxml.util:java-merge-sort before 1.1.0 are vulnerable to Insecure Temporary File in the StdTempFileProvider() function in StdTempFileProvider.java, which uses the permissive File.createTempFile() function, exposing temporary file contents.","aliases":["GHSA-qxxc-7mq4-mf79"],"modified":"2026-05-18T05:55:43.795553447Z","published":"2023-01-12T05:00:01.920Z","database_specific":{"cna_assigner":"snyk","cwe_ids":["CWE-377"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24913.json"},"references":[{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLUTIL-3227926"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24913.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24913"},{"type":"FIX","url":"https://github.com/cowtowncoder/java-merge-sort/commit/450fdee70b5f181c2afc5d817f293efa1a543902"},{"type":"FIX","url":"https://github.com/cowtowncoder/java-merge-sort/pull/21"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cowtowncoder/java-merge-sort","events":[{"introduced":"0"},{"fixed":"4969aadcda1f22bf6f970a465ea5e203f36c4e74"}]}],"versions":["java-merge-sort-1.0.2","1.0.1b","java-merge-sort-1.0.1","java-merge-sort-1.0.0","java-merge-sort-0.9.1","java-merge-sort-0.9.0","0.8.1b","java-merge-sort-0.8.1","java-merge-sort-0.8.0","java-merge-sort-0.7.2","java-merge-sort-0.7.1","java-merge-sort-0.7.0","java-merge-sort-0.6.0","java-merge-sort-0.5.3","java-merge-sort-0.5.2","java-merge-sort-0.5.1","java-merge-sort-0.5.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24913.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}