Use of temporary directory for file creation in `FileBackedOutputStream` in Guava
CVE-2023-2976

7.1HIGH

Key Information:

Vendor: Google
Status: Guava
Vendor: CVE Published:; 14 June 2023

What is CVE-2023-2976?

A security flaw in Google Guava allows unauthorized access to files created in the default temporary directory on Unix and Android systems. This vulnerability, found in versions 1.0 to 31.1, poses a risk as files can be accessed by other users and applications. The issue has been resolved in version 32.0.0, but users are advised to upgrade to version 32.0.1 for optimal functionality and security, particularly since 32.0.0 may disrupt features on Windows systems.

Affected Version(s)

Guava 1.0 < 32.0.0

References

https://github.com/google/guava/issues/2575

https://security.netapp.com/advisory/ntap-20230818-0008/

https://www.intel.com/content/www/us/en/security-center/a...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 14, 2023
Vulnerability Reserved
May 30, 2023