Vulnerability Description
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Guava | < 32.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/google/guava/issues/2575Issue TrackingPatchVendor Advisory
- https://security.netapp.com/advisory/ntap-20230818-0008/
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.
- https://github.com/google/guava/issues/2575Issue TrackingPatchVendor Advisory
- https://security.netapp.com/advisory/ntap-20230818-0008/
- https://security.netapp.com/advisory/ntap-20241108-0002/
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.
FAQ
What is CVE-2023-2976?
CVE-2023-2976 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps ...
How severe is CVE-2023-2976?
CVE-2023-2976 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-2976?
Check the references section above for vendor advisories and patch information. Affected products include: Google Guava.