CVE-2021-22571 is a permission-related vulnerability identified in the Google LLC product 'google/sa360-webquery-bigquery,' which is a component used to stage and load Search Ads 360 (SA360) reports into Google BigQuery. The vulnerability arises due to improper file permission settings during the staging process, where temporary report files are stored in the /tmp directory. Specifically, a local attacker with access to the system can read files belonging to other users because the files are not adequately protected by restrictive permissions. This exposure occurs before the files are loaded into BigQuery, potentially allowing unauthorized access to sensitive report data. The vulnerability is categorized under CWE-275, which pertains to permission issues that can lead to unauthorized information disclosure. The affected versions are unspecified, but the vendor recommends upgrading to version 1.0.3 or above, where the issue has been addressed. There are no known exploits in the wild, and the vulnerability requires local access to the system, meaning an attacker must have some level of access to the host machine to exploit the flaw. No user interaction beyond local access is necessary, and the vulnerability primarily impacts confidentiality by exposing sensitive report data to unauthorized users. The integrity and availability of the system are not directly affected by this vulnerability. The issue was publicly disclosed in March 2022, with the vulnerability reserved in January 2021. No CVSS score is provided, but the severity is assessed as medium by the vendor.

For European organizations using the google/sa360-webquery-bigquery tool, this vulnerability poses a risk of unauthorized disclosure of sensitive advertising and marketing data stored in SA360 reports. Such data could include campaign performance metrics, budget allocations, and strategic marketing insights. Exposure of this information could lead to competitive disadvantages, reputational damage, and potential regulatory scrutiny under data protection laws such as the GDPR if personal data is indirectly exposed. The impact is heightened in environments where multiple users share the same system or where local access controls are weak, as attackers with local access could exploit this vulnerability to access other users' reports. However, the requirement for local access limits the attack surface, reducing the likelihood of remote exploitation. The vulnerability does not affect the integrity or availability of the system, so operational disruption is unlikely. Nonetheless, organizations with strict data confidentiality requirements, such as marketing agencies, digital advertisers, and enterprises heavily reliant on SA360 and BigQuery integrations, should consider this vulnerability significant. The absence of known exploits in the wild suggests limited active targeting, but the risk remains if internal threat actors or compromised insiders gain local access.

To mitigate this vulnerability, European organizations should promptly upgrade the google/sa360-webquery-bigquery component to version 1.0.3 or later, where the permission issues have been resolved. Additionally, organizations should review and tighten file system permissions on the /tmp directory and any other temporary storage locations used during the staging process to ensure that files are only accessible by the intended user or service account. Implementing strict access controls and monitoring for unusual local access activity can help detect and prevent exploitation attempts. Organizations should also enforce the principle of least privilege for users and service accounts with access to the affected systems, limiting local access to trusted personnel only. Regular audits of user permissions and system access logs can help identify potential misuse. Where possible, isolating the staging environment or using containerization to segregate user processes can reduce the risk of cross-user data exposure. Finally, organizations should incorporate this vulnerability into their patch management and vulnerability scanning processes to ensure timely detection and remediation.