Vulnerability Description
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Guava | < 32.0.0 | |
| Quarkus | Quarkus | < 1.11.4 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.2.1 |
| Oracle | Communications Pricing Design Center | 12.0.0.4.0 |
| Oracle | Data Integrator | 12.2.1.3.0 |
| Oracle | Nosql Database | < 20.3 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.57 |
| Oracle | Retail Customer Management And Segmentation Foundation | >= 16.0, <= 19.0 |
| Oracle | Weblogic Server | 14.1.1.0.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 1.14.0 |
| Oracle | Primavera Unifier | >= 17.7, <= 17.12 |
| Netapp | Active Iq Unified Manager | - |
Related Weaknesses (CWE)
References
- https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40PatchThird Party Advisory
- https://github.com/google/guava/issues/4011Issue TrackingPatchThird Party Advisory
- https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aaThird Party Advisory
- https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d17Third Party Advisory
- https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949fThird Party Advisory
- https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23eThird Party Advisory
- https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d055289Third Party Advisory
- https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6dThird Party Advisory
- https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf07Third Party Advisory
- https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbbThird Party Advisory
- https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35Third Party Advisory
- https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ffThird Party Advisory
- https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a41Third Party Advisory
- https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48Third Party Advisory
- https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bThird Party Advisory
FAQ
What is CVE-2020-8908?
CVE-2020-8908 is a vulnerability with a CVSS score of 3.3 (LOW). A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API co...
How severe is CVE-2020-8908?
CVE-2020-8908 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-8908?
Check the references section above for vendor advisories and patch information. Affected products include: Google Guava, Quarkus Quarkus, Oracle Commerce Guided Search, Oracle Communications Cloud Native Core Network Slice Selection Function, Oracle Communications Pricing Design Center.