Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVtZzgtdzIzdy03NGgz

Information Disclosure in Guava

A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.

Permalink: https://github.com/advisories/GHSA-5mg8-w23w-74h3
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVtZzgtdzIzdy03NGgz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: about 1 year ago


CVSS Score: 3.3
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-5mg8-w23w-74h3, CVE-2020-8908
References: Repository: https://github.com/google/guava
Blast Radius: 17.6

Affected Packages

maven:com.google.guava:guava
Dependent packages: 29,526
Dependent repositories: 219,576
Downloads:
Affected Version Ranges: < 32.0.0-android
Fixed in: 32.0.0-android
All affected versions: 10.0.1, 11.0.1, 11.0.2, 12.0.1, 13.0.1, 14.0.1, 16.0.1
All unaffected versions: