upgrade the guava version
Nanmozhi22 opened this issue · comments
Upgrade com.google.guava:guava to fix 2 Dependabot alerts in qa/large-data-tests/pom.xml
Upgrade com.google.guava:guava to version 32.0.0-android or later. For example:
A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.
I will work on this issue
Hello @Nanmozhi22,
Thank you for the interest to work on this item.
In order to qualify this item, could you please post in the ticket thread:
a) the depentabot alerts mentioned in the ticket description
b) the vulnerability
Thanks,
Petros
Hello @psavidis
Here are the details which I got from the dependent bot , pls let me know
Description :
Upgrade com.google.guava:guava to version 32.0.0-android or later. For example:
com.google.guava guava [32.0.0-android,)Vulnerability details :
A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.
Is cve-2020-8908 the one you posted on the ticket?