CVE-2022-41954 is a vulnerability in the open source library MPXJ, which is used to read and write project plans across various file formats and databases. The issue specifically affects Unix-like operating systems (Linux, BSD, etc.) and arises from the way MPXJ creates temporary files during processing. The library uses Java's File.createTempFile(..) method to generate temporary files with default permissions set to '-rw-r--r--', meaning the files are readable by any user on the system, not just the owner. When MPXJ processes schedule files that require temporary file or directory creation, these transient files contain sensitive project scheduling data. A local attacker with knowledge of the system and file locations could locate and read these temporary files while they exist, thereby gaining unauthorized access to potentially sensitive project information. This vulnerability does not affect Windows or macOS systems due to different file permission models. The issue has been addressed in MPXJ version 10.14.1 and later, which implements more restrictive permissions on temporary files. For users unable to upgrade, a recommended mitigation is to configure the Java temporary directory (java.io.tmpdir) to a location accessible only by the application user, preventing other local users from reading these files. No known exploits have been reported in the wild. The vulnerability is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-377 (Insecure Temporary File).

The primary impact of this vulnerability is the unauthorized disclosure of sensitive project scheduling data to other local users on the same Unix-like system. For European organizations, especially those handling confidential project plans, resource allocations, or timelines, this could lead to information leakage that compromises competitive advantage or violates data privacy policies. While the vulnerability requires local access, in environments where multiple users share systems or where attackers have gained limited access, this flaw could facilitate lateral movement or intelligence gathering. The integrity and availability of the data are not directly affected, but confidentiality is compromised. Organizations in sectors such as construction, engineering, government project management, and software development that rely on MPXJ for project plan processing are at risk. The lack of remote exploitability limits the threat scope, but insider threats or attackers leveraging other vulnerabilities to gain local access could exploit this issue.

1. Upgrade MPXJ to version 10.14.1 or later immediately to ensure the vulnerability is patched. 2. For environments where upgrading is not feasible, configure the Java temporary directory (java.io.tmpdir) to point to a directory with strict access controls (e.g., permissions set to 700) owned by the application user, preventing other users from reading temporary files. 3. Implement strict user access controls and monitoring on Unix-like systems to limit the number of users with local access and detect suspicious file access patterns. 4. Use filesystem monitoring tools to alert on unauthorized access attempts to temporary directories used by MPXJ. 5. Consider containerization or sandboxing of applications using MPXJ to isolate file system access. 6. Educate system administrators and developers about secure temporary file handling practices to prevent similar issues. 7. Regularly audit and review permissions on temporary directories and files on shared systems.