Home/CVE/MPXJ is an open source library to read and write project plans from a variety of file formats and databases. On Unix-lik
CVE

CVE-2022-41954

MPXJ is an open source library to read and write project plans from a variety of file formats and databases. On Unix-lik

MPXJ is an open source library to read and write project plans from a variety of file formats and databases. On Unix-like operating systems (not Windows or macos), MPXJ's use of File.createTempFile(..) results in temporary files being created with the permissions -rw-r--r--. This means that any other user on the system can read the contents of this file.

When MPXJ is reading a schedule file which requires the creation of a temporary file or directory, a knowledgeable local user could locate these transient files while they are in use and would then be able to read the schedule being processed by MPXJ. The problem has been patched, MPXJ version 10.14.1 and later includes the necessary changes. Users unable to upgrade may set java.io.tmpdir to a directory to which only the user running the application has access will prevent other users from accessing these temporary files.

LOW · CVSS 3.3 EPSS 0.00027
Monitor
  • No active-exploitation, high-EPSS, or public-exploit signals - routine patching cadence
Sigma rules0 YARA rules0

Weakness Classification

CWE-200Exposure of Sensitive Information to an Unauthorized Actor
CWE-377Insecure Temporary File
CWE-668Exposure of Resource to Wrong Sphere

Affected Products & Versions

1
mpxj< 10.14.1

Affected Packages

5
Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.
Maven net.sf.mpxj:mpxj LOW fixed in 10.14.1
NuGet net.sf.mpxj LOW fixed in 10.14.1
NuGet net.sf.mpxj-for-csharp LOW fixed in 10.14.1
NuGet net.sf.mpxj-for-vb LOW fixed in 10.14.1
PyPI mpxj fixed in 287ad0234213c52b0638565e14bd9cf3ed44cedd, 10.14.1

Scoring & Timeline

3.3
LOW · CVSS v3.1 · security-advisories@github.com
View on NVD
Attack Vector
Network Adjacent Local Physical
Attack Complexity
Low High
Privileges Required
None Low High
User Interaction
None Required
Scope
Unchanged Changed
Confidentiality
None Low High
Integrity
None Low High
Availability
None Low High
Published to NVD25 Nov 2022 · 07:15 PM
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
SSVC triage · cisa-vulnrichment
Exploitation
none
Automatable
no
Technical impact
partial
SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

Vendor Advisories

1
oracle-cpuoracle-cpu-Primavera-Unifier-10354--CVE-2022-41954
🔗

References & Sources

2
Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.
https://github.com/joniles/mpxj/commit/ae0af24345d79ad45705265d9927fe55e94a5721
https://github.com/joniles/mpxj/security/advisories/GHSA-jf2p-4gqj-849gThird Party Advisory
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
NVDCVE.orgCISAVulnersExploit-DBGitHub PoCVulnCheck KEVGreyNoise
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin