Bug 2158916 (CVE-2022-45787)

Summary: CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, anstephe, asoldano, avibelli, balejosg, bbaranow, bbuckingham, bcourt, bgeorges, bmaxwell, boliveir, brian.stansberry, btotty, cdewolf, chazlett, clement.escoffier, cmiranda, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, ecerquei, ehelms, emingora, eric.wittmann, fjuma, fmariani, fmongiar, ggainey, gjospin, gmalinko, gsmet, hamadhan, ibek, istudens, ivassile, iweiss, janstey, jcantril, jkoops, jmartisk, jnethert, jolee, jpavlik, jpoth, jrokos, jschatte, jsherril, jstastny, juwatts, jwon, kverlaen, lgao, lthon, lzap, manderse, max.andersen, mhulan, mnovotny, mosmerov, msochure, msvehla, nipatil, nmoumoul, nwallace, olubyans, orabin, pantinor, pcongius, pcreech, pdelbell, pdrozd, peholase, periklis, pesilva, pgallagh, pjindal, pmackay, porcelli, probinso, pskopek, rchan, rguimara, rjohnson, rkubis, rmartinc, rojacob, rowaters, rrajasek, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdouglas, smaestri, smallamp, sthorger, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mime4j 0.8.9 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache James's Mime4j TempFileStorageProvider class, where it may set improper permissions when utilizing temporary files. This flaw allows a locally authorized attacker to access information outside their intended permissions.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-29 16:32:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2158913    

Description Chess Hazlett 2023-01-06 22:02:57 UTC 
Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions. We recommend users to upgrade to MIME4j version 0.8.9 or later.

https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj
Comment 5 errata-xmlrpc 2023-03-29 11:41:08 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2023:1514 https://access.redhat.com/errata/RHSA-2023:1514
Comment 6 errata-xmlrpc 2023-03-29 11:42:34 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2023:1513 https://access.redhat.com/errata/RHSA-2023:1513
Comment 7 errata-xmlrpc 2023-03-29 11:44:18 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2023:1512 https://access.redhat.com/errata/RHSA-2023:1512
Comment 8 errata-xmlrpc 2023-03-29 11:46:05 UTC 
This issue has been addressed in the following products:

  EAP 7.4.10 release

Via RHSA-2023:1516 https://access.redhat.com/errata/RHSA-2023:1516
Comment 9 Product Security DevOps Team 2023-03-29 16:32:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-45787
Comment 10 errata-xmlrpc 2023-05-10 11:22:41 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:2706 https://access.redhat.com/errata/RHSA-2023:2706
Comment 11 errata-xmlrpc 2023-05-10 11:23:13 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:2707 https://access.redhat.com/errata/RHSA-2023:2707
Comment 12 errata-xmlrpc 2023-05-10 11:23:41 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:2705 https://access.redhat.com/errata/RHSA-2023:2705
Comment 13 errata-xmlrpc 2023-05-10 11:59:45 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:2713 https://access.redhat.com/errata/RHSA-2023:2713
Comment 14 errata-xmlrpc 2023-05-10 14:33:03 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:2710 https://access.redhat.com/errata/RHSA-2023:2710
Comment 16 errata-xmlrpc 2023-06-27 11:29:01 UTC 
This issue has been addressed in the following products:

  RHINT Service Registry 2.4.3 GA

Via RHSA-2023:3815 https://access.redhat.com/errata/RHSA-2023:3815
Comment 17 errata-xmlrpc 2023-06-29 11:09:46 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.8

Via RHSA-2023:3809 https://access.redhat.com/errata/RHSA-2023:3809