Severity
3.3
Low severity
Details
- CVSS score
- 3.3
- CVSS vector
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- CWE ID
Overview
About vulnerability
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime’s java.io.tmpdir system property to point to a location whose permissions are appropriately configured.Details
- Affected product:
- Apache Hadoop , Apache Hive , Apache Maven , Apache Spark , Apache Tapestry , Eclipse Jetty , Google Guice , Hibernate , Jackson , OkHttp , Protocol Buffers , Spring , Wildfly , accumulo , activemq , agepredictor , amazon-kinesis-client , avro , bookkeeper-common-allocator , carrot2-guava , cassandra-driver-core , cassandra-java-driver , checkstyle , closure-compiler , couchbase-jvm-clients , curator , curator-client , curator-recipes , cxf , elasticsearch , gradle , graphql-java , grpc-core , grpc-java , grpc-netty , guava , hazelcast , incubator-retired-slider , java-datastore , java-opensaml , java-storage , java-support , kotlin , language-detector , logging-log4j2 , lucene , maven , netcdf-java , pulsar , randomizedtesting , selenium , sisu , sisu-guava , sisu-guice , sisu.plexus , slider-core , solr , swagger-core , swagger-jaxrs , thredds , tika , truth , wildfly , ws-wss4j , wss4j-ws-security-common
- Affected packages:
- gradle @ 6.9.4 (+3558 more)