GHSA-5mg8-w23w-74h3

Suggest an improvement
Source
https://github.com/advisories/GHSA-5mg8-w23w-74h3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-5mg8-w23w-74h3/GHSA-5mg8-w23w-74h3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5mg8-w23w-74h3
Aliases
Published
2021-03-25T17:04:19Z
Modified
2024-06-19T13:14:36.584442Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Information Disclosure in Guava
Details

A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.

References

Affected packages

Maven / com.google.guava:guava

Package

Name
com.google.guava:guava
View open source insights on deps.dev
Purl
pkg:maven/com.google.guava/guava

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
32.0.0-android

Affected versions

Other

r03
r05
r06
r07
r08
r09

10.*

10.0-rc1
10.0-rc2
10.0-rc3
10.0
10.0.1

11.*

11.0-rc1
11.0
11.0.1
11.0.2

12.*

12.0-rc1
12.0-rc2
12.0
12.0.1

13.*

13.0-rc1
13.0-rc2
13.0
13.0.1

14.*

14.0-rc1
14.0-rc2
14.0-rc3
14.0
14.0.1

15.*

15.0-rc1
15.0

16.*

16.0-rc1
16.0
16.0.1

17.*

17.0-rc1
17.0-rc2
17.0

18.*

18.0-rc1
18.0-rc2
18.0

19.*

19.0-rc1
19.0-rc2
19.0-rc3
19.0

20.*

20.0-rc1
20.0

21.*

21.0-rc1
21.0-rc2
21.0

22.*

22.0-rc1
22.0-rc1-android
22.0
22.0-android

23.*

23.0-rc1
23.0-rc1-android
23.0
23.0-android
23.1-android
23.1-jre
23.2-android
23.2-jre
23.3-android
23.3-jre
23.4-android
23.4-jre
23.5-android
23.5-jre
23.6-android
23.6-jre
23.6.1-android
23.6.1-jre

24.*

24.0-android
24.0-jre
24.1-android
24.1-jre
24.1.1-android
24.1.1-jre

25.*

25.0-android
25.0-jre
25.1-android
25.1-jre

26.*

26.0-android
26.0-jre

27.*

27.0-android
27.0-jre
27.0.1-android
27.0.1-jre
27.1-android
27.1-jre

28.*

28.0-android
28.0-jre
28.1-android
28.1-jre
28.2-android
28.2-jre

29.*

29.0-android
29.0-jre

30.*

30.0-android
30.0-jre
30.1-android
30.1-jre
30.1.1-android
30.1.1-jre

31.*

31.0-android
31.0-jre
31.0.1-android
31.0.1-jre
31.1-android
31.1-jre

Ecosystem specific

{
    "affected_functions": [
        "com.google.common.io.Files.createTempDir"
    ]
}