Guava dependency has a CVE-2020-8908

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.

Other

843 stars 213 forks source link

Guava dependency has a CVE-2020-8908 #226

Closed thinkingstone closed 3 years ago

thinkingstone commented 3 years ago

OWASP Dependency Checker shows that the guava dependency has a LOW Score CVE-2020-8908. see: https://nvd.nist.gov/vuln/detail/CVE-2020-8908

Guava >30 fixes this CVE.

mikesamuel commented 3 years ago

Thanks. This project doesn't create any files so doesn't call mktemp so I don't think this is exploitable, but I'll look into updating.

Lots of clients have their own dependency on guava, so the range is wide open; that dependency is there as a lower bound and can be overridden with a system property.

I can look into raising it.

msymons commented 3 years ago

Addressed by ad287c3

JLLeitschuh commented 2 years ago

Guava >30 fixes this CVE.

It doesn't actually fix the issue. I'm the one that found the vulnerability. 👋