Versions of the package com.fasterxml.util:java-merge-sort before 1.1.0 are vulnerable to Insecure Temporary File in the StdTempFileProvider() function in StdTempFileProvider.java, which uses the permissive File.createTempFile() function, exposing temporary file contents.
Published: 2023-01-12
Updated: 2025-04-08
Named Vulnerability: Java Merge-sort Insecure Temporary File vulnerability
Base Score: 4.6
Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N
Severity: Medium
Base Score: 5.5
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity: Medium
EPSS: 0.00025