Skip to content

Guava vulnerable to insecure use of temporary directory

Moderate severity GitHub Reviewed Published Jun 14, 2023 to the GitHub Advisory Database • Updated Feb 13, 2024

Package

maven com.google.guava:guava (Maven)

Affected versions

>= 1.0, < 32.0.0-android

Patched versions

32.0.0-android

Description

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

References

Published by the National Vulnerability Database Jun 14, 2023
Published to the GitHub Advisory Database Jun 14, 2023
Reviewed Jun 14, 2023
Last updated Feb 13, 2024

Severity

Moderate
5.5
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2023-2976

GHSA ID

GHSA-7g45-4rm6-3mm3

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.