CVE-2021-22572 MEDIUM

CVE-2021-22572: Data-transfer-project information disclosure via tmp directory

Vendor Google Llc
Product Data-Transfer-Project
Weakness CWE-377
Published March 29, 2022
Last update April 21, 2025

CVSS base score

5.5/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

On unix-like systems, the system temporary directory is shared between all users on that system. The root cause is File.createTempFile creates files in the the system temporary directory with world readable permissions. Any sensitive information written to theses files is visible to all other local users on unix-like systems. We recommend upgrading past commit https://github.com/google/data-transfer-project/pull/969

Key dates

02Disclosure timeline

March 29, 2022 CVE published
April 21, 2025 Record updated