Vulnerabilities disclosed in guava-31.1-jre.jar
Issue date: 11-03-2024Affects versions: 15.4, 15.2, 15.1
Security Issue ID
SECURITY-432
Affected Product Version(s)
15.4.0 and previous releases.
Severity
Medium
Description
CVE-2020-8908 (OSSINDEX) suppress
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
CVSSv3.x:
- Base Score: LOW (3.3)
- Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0:
- Base Score: LOW (2.1)
- Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Instructions
Customers are recommended to upgrade to the latest version. As of the time of writing, 15.5.0.