CVE-2021-23331

描述

This affects all versions of package com.squareup:connect. The method prepareDownloadFilecreates creates a temporary file with the permissions bits of -rw-r--r-- on unix-like systems. On unix-like systems, the system temporary directory is shared between users. As such, the contents of the file downloaded by downloadFileFromResponse will be visible to all other users on the local system. A workaround fix for this issue is to set the system property java.io.tmpdir to a safe directory as remediation. Note: This version of the SDK is end of life and no longer maintained, please upgrade to the latest version.

如何修補 CVE-2021-23331

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

• —未列出修補版本

CVE-2021-23331 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, <= 2.20191120.0

CVSS 分數

參考連結(4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23331
• PATCHgithub.com/square/connect-java-sdk
• WEBgithub.com/square/connect-java-sdk/blob/master/src/main/java/com/squareup/connect/ApiClient.java%23L613
• WEBsnyk.io/vuln/SNYK-JAVA-COMSQUAREUP-1065988