Incorrect Permission Assignment for Critical Resource Affecting guava-libraries package, versions <32.0.1-1


Severity

Recommended
0.0
low
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.06% (28th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIANUNSTABLE-GUAVALIBRARIES-5734207
  • published23 Jun 2023
  • disclosed10 Dec 2020

Introduced: 10 Dec 2020

CVE-2020-8908  (opens in a new tab)
CWE-732  (opens in a new tab)

How to fix?

Upgrade Debian:unstable guava-libraries to version 32.0.1-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream guava-libraries package and not the guava-libraries package as distributed by Debian. See How to fix? for Debian:unstable relevant fixed versions and status.

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

References

CVSS Scores

version 3.1