📂 Vulnerable Library - guava-31.1-jre.jar
Guava is a suite of core and expanded libraries that include
utility classes, Google's collections, I/O classes, and
much more.
Library home page: https://github.com/google/guava
Path to dependency file: /telegrambots-abilities/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/31.1-jre/guava-31.1-jre.jar
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2020-8908 |
🟠 Medium |
4.8 |
Not Defined |
< 1% |
guava-31.1-jre.jar |
Direct |
com.google.guava:guava:32.0.0-android |
✅ |
 Reachable |
Details
🟠CVE-2020-8908
Vulnerable Library - guava-31.1-jre.jar
Guava is a suite of core and expanded libraries that include
utility classes, Google's collections, I/O classes, and
much more.
Library home page: https://github.com/google/guava
Path to dependency file: /telegrambots-abilities/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/31.1-jre/guava-31.1-jre.jar
Dependency Hierarchy:
- ❌ guava-31.1-jre.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- org.telegram.abilitybots.api.objects.Reply (Application)
- com.google.common.collect.ImmutableList (Extension)
- com.google.common.collect.CollectCollectors (Extension)
- com.google.common.collect.RegularImmutableBiMap (Extension)
- com.google.common.collect.TreeRangeSet$RangesByUpperBound$2 (Extension)
- com.google.common.collect.Maps (Extension)
- com.google.common.collect.Maps$TransformedEntriesMap (Extension)
- com.google.common.graph.AbstractNetwork$3 (Extension)
- com.google.common.graph.Network (Extension)
- com.google.common.graph.Graph (Extension)
-> ❌ com.google.common.graph.BaseGraph (Vulnerable Component)
Vulnerability Details
A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Dec 10, 2020 10:10 PM
URL: CVE-2020-8908
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 4.8
Suggested Fix
Type: Upgrade version
Origin: GHSA-5mg8-w23w-74h3
Release Date: Dec 10, 2020 10:10 PM
Fix Resolution : com.google.guava:guava:32.0.0-android
📂 Vulnerable Library - guava-31.1-jre.jar
Guava is a suite of core and expanded libraries that include
utility classes, Google's collections, I/O classes, and
much more.
Library home page: https://github.com/google/guava
Path to dependency file: /telegrambots-abilities/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/31.1-jre/guava-31.1-jre.jar
Findings
Details
🟠CVE-2020-8908
Vulnerable Library - guava-31.1-jre.jar
Guava is a suite of core and expanded libraries that include
utility classes, Google's collections, I/O classes, and
much more.
Library home page: https://github.com/google/guava
Path to dependency file: /telegrambots-abilities/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/31.1-jre/guava-31.1-jre.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Dec 10, 2020 10:10 PM
URL: CVE-2020-8908
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 4.8
Suggested Fix
Type: Upgrade version
Origin: GHSA-5mg8-w23w-74h3
Release Date: Dec 10, 2020 10:10 PM
Fix Resolution : com.google.guava:guava:32.0.0-android