Open Nanmozhi22 opened 1 month ago
I will work on this issue
Hello @Nanmozhi22, Thank you for the interest to work on this item.
In order to qualify this item, could you please post in the ticket thread: a) the depentabot alerts mentioned in the ticket description b) the vulnerability
Thanks, Petros
Hello @psavidis
Here are the details which I got from the dependent bot , pls let me know
Description :
Upgrade com.google.guava:guava to version 32.0.0-android or later. For example:
Vulnerability details :
A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.
@Nanmozhi22
Is cve-2020-8908 the one you posted on the ticket?
Hi @psavidis
yes correct that is one :
CVE ID CVE-2020-8908
Upgrade com.google.guava:guava to fix 2 Dependabot alerts in qa/large-data-tests/pom.xml Upgrade com.google.guava:guava to version 32.0.0-android or later. For example:
A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.