Information Disclosure Affecting package, versions [, 30.0-android) (30.0-android, 30.0-jre)



    Attack Complexity Low

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.06% (23rd percentile)
Expand this section
3.3 low
Expand this section
Red Hat
3.3 low
Expand this section
4 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • published 23 Oct 2020
  • disclosed 2 Oct 2020
  • credit Jonathan Leitschuh

How to fix?

There is no fix for However, in version 30.0 and above, the vulnerable functionality has been deprecated. In oder to mitigate this vulnerability, upgrade to version 30.0 or higher and ensure your dependencies don't use the createTempDir or createTempFile methods.

Overview is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more.

Affected versions of this package are vulnerable to Information Disclosure. The file permissions on the file created by allow an attacker running a malicious program co-resident on the same machine to steal secrets stored in this directory. This is because, by default, on unix-like operating systems the /tmp directory is shared between all users, so if the correct file permissions aren't set by the directory/file creator, the file becomes readable by all other users on that system.


File guavaTempDir =;
System.out.println("Guava Temp Dir: " + guavaTempDir.getName());
runLS(guavaTempDir.getParentFile(), guavaTempDir); // Prints the file permissions -> drwxr-xr-x
File child = new File(guavaTempDir, "guava-child.txt");
runLS(guavaTempDir, child); // Prints the file permissions -> -rw-r--r--

For Android developers, choosing a temporary directory API provided by Android is recommended, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's system property to point to a location whose permissions are appropriately configured.