Path to dependency file: proctor/proctor-store/pom.xml
Path to vulnerable library: canner/.m2/repository/com/google/guava/guava/24.1.1-android/guava-24.1.1-android.jar,canner/.m2/repository/com/google/guava/guava/24.1.1-android/guava-24.1.1-android.jar,canner/.m2/repository/com/google/guava/guava/24.1.1-android/guava-24.1.1-android.jar,canner/.m2/repository/com/google/guava/guava/24.1.1-android/guava-24.1.1-android.jar,canner/.m2/repository/com/google/guava/guava/24.1.1-android/guava-24.1.1-android.jar,canner/.m2/repository/com/google/guava/guava/24.1.1-android/guava-24.1.1-android.jar,canner/.m2/repository/com/google/guava/guava/24.1.1-android/guava-24.1.1-android.jar
A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.
CVE-2020-8908 - Medium Severity Vulnerability
Vulnerable Library - guava-24.1.1-android.jar
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Library home page: https://github.com/google/guava
Path to dependency file: proctor/proctor-store/pom.xml
Path to vulnerable library: canner/.m2/repository/com/google/guava/guava/24.1.1-android/guava-24.1.1-android.jar,canner/.m2/repository/com/google/guava/guava/24.1.1-android/guava-24.1.1-android.jar,canner/.m2/repository/com/google/guava/guava/24.1.1-android/guava-24.1.1-android.jar,canner/.m2/repository/com/google/guava/guava/24.1.1-android/guava-24.1.1-android.jar,canner/.m2/repository/com/google/guava/guava/24.1.1-android/guava-24.1.1-android.jar,canner/.m2/repository/com/google/guava/guava/24.1.1-android/guava-24.1.1-android.jar,canner/.m2/repository/com/google/guava/guava/24.1.1-android/guava-24.1.1-android.jar
Dependency Hierarchy: - :x: **guava-24.1.1-android.jar** (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.
Publish Date: 2020-12-10
URL: CVE-2020-8908
CVSS 3 Score Details (6.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908
Release Date: 2020-12-10
Fix Resolution: v30.0
:rescue_worker_helmet: Automatic Remediation is available for this issue