Giters

matteobaccan / owner

Get rid of the boilerplate code in properties based configuration.

Home Page:https://matteobaccan.github.io/owner/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2020-8908 (Low) detected in guava-27.0.1-jre.jar

mend-bolt-for-github opened this issue · comments

commented

CVE-2020-8908 - Low Severity Vulnerability

Vulnerable Library - guava-27.0.1-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: /owner-extras/pom.xml

Path to vulnerable library: /owner-extras/pom.xml

Dependency Hierarchy:

  • curator-framework-4.3.0.jar (Root Library)
    • curator-client-4.3.0.jar
      • guava-27.0.1-jre.jar (Vulnerable Library)

Found in HEAD commit: 12e21721ff1098fe44de120bf2737fd994f40fa6

Found in base branch: master

Vulnerability Details

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Publish Date: 2020-12-10

URL: CVE-2020-8908

CVSS 3 Score Details (3.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-8908

Release Date: 2020-12-10

Fix Resolution (com.google.guava:guava): 30.0-android

Direct dependency fix Resolution (org.apache.curator:curator-framework): 5.0.0

Step up your Open Source Security Game with Mend here