Vulnerabilities disclosed in guava-31.1-jre.jar

Issue date: 11-03-2024
Affects versions: 15.4, 15.2, 15.1

Security Issue ID

SECURITY-432

Affected Product Version(s)

15.4.0 and previous releases.

Severity

Medium

Description

CVE-2020-8908 (OSSINDEX) suppress

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

CWE-379 Creation of Temporary File in Directory with Incorrect Permissions

CVSSv3.x:

Base Score: LOW (3.3)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS 2.0:

Base Score: LOW (2.1)
Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 15.5.0.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Deploy in BloomReach Cloud

Use Blue-Green Deployment in BloomReach Cloud

Understand

Implement

Extend

Integrate

Run

Upgrade

Develop

Use

Bloomreach Documentation version

Vulnerabilities disclosed in guava-31.1-jre.jar