github-actions[bot]
commented
5 months ago
[](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
📦 Vulnerable Dependencies
✍️ Summary
| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS | CVES |
| :---------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: | :-----------------------------------: |
| 
High | Not Applicable | org.mock-server:mockserver-netty:5.15.0 | com.google.guava:guava 31.1-jre | [32.0.0-android] | CVE-2023-2976 | | 
High | Not Applicable | org.apache.maven:maven-core:3.8.6 | com.google.guava:guava 25.1-android | [32.0.0-android] | CVE-2023-2976 | | 
High | Not Applicable | com.github.docker-java:docker-java:3.3.3 | com.google.guava:guava 19.0 | [32.0.0-android] | CVE-2023-2976 | | 
Medium | Not Applicable | com.github.docker-java:docker-java:3.3.3 | com.google.guava:guava 19.0 | [24.1.1-android] | CVE-2018-10237 | | 
Low | Not Applicable | com.github.docker-java:docker-java:3.3.3 | com.google.guava:guava 19.0 | [32.0.0-android] | CVE-2020-8908 | | 
Low | Not Applicable | org.apache.maven:maven-core:3.8.6 | com.google.guava:guava 25.1-android | [32.0.0-android] | CVE-2020-8908 | | 
Low | Not Applicable | org.mock-server:mockserver-netty:5.15.0 | com.google.guava:guava 31.1-jre | [32.0.0-android] | CVE-2020-8908 |
High | Not Applicable | org.mock-server:mockserver-netty:5.15.0 | com.google.guava:guava 31.1-jre | [32.0.0-android] | CVE-2023-2976 | | 
High | Not Applicable | org.apache.maven:maven-core:3.8.6 | com.google.guava:guava 25.1-android | [32.0.0-android] | CVE-2023-2976 | | 
High | Not Applicable | com.github.docker-java:docker-java:3.3.3 | com.google.guava:guava 19.0 | [32.0.0-android] | CVE-2023-2976 | | 
Medium | Not Applicable | com.github.docker-java:docker-java:3.3.3 | com.google.guava:guava 19.0 | [24.1.1-android] | CVE-2018-10237 | | 
Low | Not Applicable | com.github.docker-java:docker-java:3.3.3 | com.google.guava:guava 19.0 | [32.0.0-android] | CVE-2020-8908 | | 
Low | Not Applicable | org.apache.maven:maven-core:3.8.6 | com.google.guava:guava 25.1-android | [32.0.0-android] | CVE-2020-8908 | | 
Low | Not Applicable | org.mock-server:mockserver-netty:5.15.0 | com.google.guava:guava 31.1-jre | [32.0.0-android] | CVE-2020-8908 |
🔬 Research Details
[ CVE-2023-2976 ] com.google.guava:guava 31.1-jre
**Description:** Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
[ CVE-2023-2976 ] com.google.guava:guava 25.1-android
**Description:** Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
[ CVE-2023-2976 ] com.google.guava:guava 19.0
**Description:** Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
[ CVE-2018-10237 ] com.google.guava:guava 19.0
**Description:** Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
[ CVE-2020-8908 ] com.google.guava:guava 19.0
**Description:** [Guava](https://github.com/google/guava) is a set of core Java libraries from Google that includes new collection types (such as multimap and multiset), immutable collections, a graph library, and utilities for concurrency, I/O, hashing, caching, primitives, strings, and more. It is widely used on most Java projects within Google, and widely used by many other companies as well. The `com.google.common.io.Files.createTempDir()` function creates a temporary directory according to the `java.io.tmpdir` system property, which points to the default temporary directory path. Thus, an attacker having access to the local filesystem, and specifically to the `java.io.tmpdir` directory can read all contents created under the directory returned from `com.google.common.io.Files.createTempDir()`. On Linux, by default, `java.io.tmpdir` points to `/tmp` which is world-readable. **Remediation:** ##### Deployment mitigations Set the `java.io.tmpdir` property to a secure folder. Add this option when running Java: ```java -Djava.io.tmpdir=/path/to/secure/tmpdir``` ##### Development mitigations Use the secure alternative API call `java.nio.file.Files.createTempDirectory()`. Replace: ``` Path temp = Files.createTempDir(); ``` With: ``` Path temp = Files.createTempDirectory("random-directory"); ```
[ CVE-2020-8908 ] com.google.guava:guava 25.1-android
**Description:** [Guava](https://github.com/google/guava) is a set of core Java libraries from Google that includes new collection types (such as multimap and multiset), immutable collections, a graph library, and utilities for concurrency, I/O, hashing, caching, primitives, strings, and more. It is widely used on most Java projects within Google, and widely used by many other companies as well. The `com.google.common.io.Files.createTempDir()` function creates a temporary directory according to the `java.io.tmpdir` system property, which points to the default temporary directory path. Thus, an attacker having access to the local filesystem, and specifically to the `java.io.tmpdir` directory can read all contents created under the directory returned from `com.google.common.io.Files.createTempDir()`. On Linux, by default, `java.io.tmpdir` points to `/tmp` which is world-readable. **Remediation:** ##### Deployment mitigations Set the `java.io.tmpdir` property to a secure folder. Add this option when running Java: ```java -Djava.io.tmpdir=/path/to/secure/tmpdir``` ##### Development mitigations Use the secure alternative API call `java.nio.file.Files.createTempDirectory()`. Replace: ``` Path temp = Files.createTempDir(); ``` With: ``` Path temp = Files.createTempDirectory("random-directory"); ```
[ CVE-2020-8908 ] com.google.guava:guava 31.1-jre
**Description:** [Guava](https://github.com/google/guava) is a set of core Java libraries from Google that includes new collection types (such as multimap and multiset), immutable collections, a graph library, and utilities for concurrency, I/O, hashing, caching, primitives, strings, and more. It is widely used on most Java projects within Google, and widely used by many other companies as well. The `com.google.common.io.Files.createTempDir()` function creates a temporary directory according to the `java.io.tmpdir` system property, which points to the default temporary directory path. Thus, an attacker having access to the local filesystem, and specifically to the `java.io.tmpdir` directory can read all contents created under the directory returned from `com.google.common.io.Files.createTempDir()`. On Linux, by default, `java.io.tmpdir` points to `/tmp` which is world-readable. **Remediation:** ##### Deployment mitigations Set the `java.io.tmpdir` property to a secure folder. Add this option when running Java: ```java -Djava.io.tmpdir=/path/to/secure/tmpdir``` ##### Development mitigations Use the secure alternative API call `java.nio.file.Files.createTempDirectory()`. Replace: ``` Path temp = Files.createTempDir(); ``` With: ``` Path temp = Files.createTempDirectory("random-directory"); ```
[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
[x] All tests have passed. If this feature is not already covered by the tests, new tests have been added.
Fix https://github.com/jfrog/build-info/issues/792.
Remove Guava entirely from build-info. Replace Guava's ArrayListMultimap with Apache Commons collection's ArrayListValuedHashMap. Replace Guava's HashMultimap with Apache Commons collection's HashSetValuedHashMap.