Use of temporary directory for file creation in `FileBackedOutputStream` in Guava
CVE-2023-2976

7.1HIGH

Key Information:

Vendor
Google
Status
Guava
Vendor
CVE Published:
14 June 2023

Summary

A security flaw in Google Guava allows unauthorized access to files created in the default temporary directory on Unix and Android systems. This vulnerability, found in versions 1.0 to 31.1, poses a risk as files can be accessed by other users and applications. The issue has been resolved in version 32.0.0, but users are advised to upgrade to version 32.0.1 for optimal functionality and security, particularly since 32.0.0 may disrupt features on Windows systems.

Affected Version(s)

Guava 1.0 < 32.0.0

References

https://github.com/google/guava/issues/2575
https://security.netapp.com/advisory/ntap-20230818-0008/
https://www.intel.com/content/www/us/en/security-center/a...

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.