📂 Vulnerable Library - guava-30.0-jre.jar
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Library home page: https://github.com/google/guava
Path to dependency file: /tools/ci/flink-ci-tools/pom.xml
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2020-8908 |
🟠 Medium |
4.8 |
Not Defined |
< 1% |
guava-30.0-jre.jar |
Direct |
com.google.guava:guava:32.0.0-android |
✅ |
|
Details
🟠CVE-2020-8908
Vulnerable Library - guava-30.0-jre.jar
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Library home page: https://github.com/google/guava
Path to dependency file: /tools/ci/flink-ci-tools/pom.xml
Dependency Hierarchy:
- ❌ guava-30.0-jre.jar (Vulnerable Library)
Vulnerability Details
A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Dec 10, 2020 10:10 PM
URL: CVE-2020-8908
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 4.8
Suggested Fix
Type: Upgrade version
Origin: GHSA-5mg8-w23w-74h3
Release Date: Dec 10, 2020 10:10 PM
Fix Resolution : com.google.guava:guava:32.0.0-android
📂 Vulnerable Library - guava-30.0-jre.jar
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Library home page: https://github.com/google/guava
Path to dependency file: /tools/ci/flink-ci-tools/pom.xml
Findings
Details
🟠CVE-2020-8908
Vulnerable Library - guava-30.0-jre.jar
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Library home page: https://github.com/google/guava
Path to dependency file: /tools/ci/flink-ci-tools/pom.xml
Dependency Hierarchy:
Vulnerability Details
A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Dec 10, 2020 10:10 PM
URL: CVE-2020-8908
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 4.8
Suggested Fix
Type: Upgrade version
Origin: GHSA-5mg8-w23w-74h3
Release Date: Dec 10, 2020 10:10 PM
Fix Resolution : com.google.guava:guava:32.0.0-android