CVE-2021-23331

Name of the Vulnerable Software and Affected Versions com.squareup:connect (affected versions not specified)

Description The issue affects the prepareDownloadFile method, which creates a temporary file with permissions bits of -rw-r--r-- on unix-like systems. Since the system temporary directory is shared between users, the contents of the downloaded file will be visible to all other users on the local system.

Recommendations For all affected versions, set the system property java.io.tmpdir to a safe directory as a workaround. It is also recommended to upgrade to the latest version of the SDK, as the current version is end of life and no longer maintained.