Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/mpxj@10.3.0
Typepypi
Namespace
Namempxj
Version10.3.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version13.5.1
Latest_non_vulnerable_version13.5.1
Affected_by_vulnerabilities
0
url VCID-g25p-m9n2-nugx
vulnerability_id VCID-g25p-m9n2-nugx
summary 
MPXJ has a Potential Path Traversal Vulnerability
### Impact

The patch for the historical vulnerability CVE-2020-35460 in MPXJ
is incomplete as there is still a possibility that a malicious path
could be constructed which would not be picked up by the original
fix and allow files to be written to arbitrary locations.

### Patches

The issue is addressed in MPXJ version 13.5.1

### Workarounds

Do not pass zip files to MPXJ.

### References
N/A
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-49771
reference_id
reference_type
scores
0
value 0.00189
scoring_system epss
scoring_elements 0.40606
published_at 2026-06-05T12:55:00Z
1
value 0.00189
scoring_system epss
scoring_elements 0.40568
published_at 2026-06-09T12:55:00Z
2
value 0.00189
scoring_system epss
scoring_elements 0.40554
published_at 2026-06-08T12:55:00Z
3
value 0.00189
scoring_system epss
scoring_elements 0.40583
published_at 2026-06-07T12:55:00Z
4
value 0.00189
scoring_system epss
scoring_elements 0.40611
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-49771
1
reference_url https://github.com/joniles/mpxj
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/joniles/mpxj
2
reference_url https://github.com/joniles/mpxj/commit/8002802890dfdc8bc74259f37e053e15b827eea0
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-29T13:34:48Z/
url https://github.com/joniles/mpxj/commit/8002802890dfdc8bc74259f37e053e15b827eea0
3
reference_url https://github.com/joniles/mpxj/security/advisories/GHSA-j945-c44v-97g6
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-29T13:34:48Z/
url https://github.com/joniles/mpxj/security/advisories/GHSA-j945-c44v-97g6
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-49771
reference_id CVE-2024-49771
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-49771
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mpxj/CVE-2024-49771.yml
reference_id CVE-2024-49771.YML
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mpxj/CVE-2024-49771.yml
6
reference_url https://github.com/advisories/GHSA-j945-c44v-97g6
reference_id GHSA-j945-c44v-97g6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j945-c44v-97g6
fixed_packages
0
url pkg:pypi/mpxj@13.5.1
purl pkg:pypi/mpxj@13.5.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mpxj@13.5.1
aliases CVE-2024-49771, GHSA-j945-c44v-97g6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g25p-m9n2-nugx
1
url VCID-z7sa-tgte-pkg6
vulnerability_id VCID-z7sa-tgte-pkg6
summary MPXJ is an open source library to read and write project plans from a variety of file formats and databases. On Unix-like operating systems (not Windows or macos), MPXJ's use of `File.createTempFile(..)` results in temporary files being created with the permissions `-rw-r--r--`. This means that any other user on the system can read the contents of this file. When MPXJ is reading a schedule file which requires the creation of a temporary file or directory, a knowledgeable local user could locate these transient files while they are in use and would then be able to read the schedule being processed by MPXJ. The problem has been patched, MPXJ version 10.14.1 and later includes the necessary changes. Users unable to upgrade may set `java.io.tmpdir` to a directory to which only the user running the application has access will prevent other users from accessing these temporary files.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-41954
reference_id
reference_type
scores
0
value 0.00027
scoring_system epss
scoring_elements 0.07944
published_at 2026-06-04T12:55:00Z
1
value 0.00027
scoring_system epss
scoring_elements 0.07937
published_at 2026-06-09T12:55:00Z
2
value 0.00027
scoring_system epss
scoring_elements 0.07918
published_at 2026-06-08T12:55:00Z
3
value 0.00027
scoring_system epss
scoring_elements 0.07967
published_at 2026-06-07T12:55:00Z
4
value 0.00027
scoring_system epss
scoring_elements 0.07992
published_at 2026-06-06T12:55:00Z
5
value 0.00027
scoring_system epss
scoring_elements 0.07977
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-41954
1
reference_url https://github.com/joniles/mpxj
reference_id
reference_type
scores
0
value 2.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
1
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/joniles/mpxj
2
reference_url https://github.com/joniles/mpxj/commit/287ad0234213c52b0638565e14bd9cf3ed44cedd
reference_id
reference_type
scores
0
value 2.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
1
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/joniles/mpxj/commit/287ad0234213c52b0638565e14bd9cf3ed44cedd
3
reference_url https://github.com/joniles/mpxj/commit/ae0af24345d79ad45705265d9927fe55e94a5721
reference_id
reference_type
scores
0
value 2.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
1
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
2
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:53:46Z/
url https://github.com/joniles/mpxj/commit/ae0af24345d79ad45705265d9927fe55e94a5721
4
reference_url https://github.com/joniles/mpxj/security/advisories/GHSA-jf2p-4gqj-849g
reference_id
reference_type
scores
0
value 2.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
1
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
2
value LOW
scoring_system cvssv3.1_qr
scoring_elements
3
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
4
value LOW
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:53:46Z/
url https://github.com/joniles/mpxj/security/advisories/GHSA-jf2p-4gqj-849g
5
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/mpxj/PYSEC-2022-42996.yaml
reference_id
reference_type
scores
0
value 2.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
1
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/mpxj/PYSEC-2022-42996.yaml
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-41954
reference_id
reference_type
scores
0
value 2.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
1
value 2.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-41954
7
reference_url https://github.com/advisories/GHSA-jf2p-4gqj-849g
reference_id GHSA-jf2p-4gqj-849g
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jf2p-4gqj-849g
fixed_packages
0
url pkg:pypi/mpxj@10.14.1
purl pkg:pypi/mpxj@10.14.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-g25p-m9n2-nugx
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/mpxj@10.14.1
aliases CVE-2022-41954, GHSA-jf2p-4gqj-849g, PYSEC-2022-42996
risk_score 1.5
exploitability 0.5
weighted_severity 3.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z7sa-tgte-pkg6
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/mpxj@10.3.0