Upgrade guava version #453
Labels
type/enhancement
Type: make the code neat or more efficient
Comments
|
Deserialization Of Untrusted Data Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. https://advisory.checkmarx.net/advisory/vulnerability/CVE-2018-10237/ |
|
Thanks for your recommendation, |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Incorrect Permission Assignment For Critical Resource
A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.
https://advisory.checkmarx.net/advisory/vulnerability/CVE-2020-8908/
The text was updated successfully, but these errors were encountered: