#VU50139 Incorrect default permissions in Guava: Google Core Libraries For Java - CVE-2020-8908

Cybersecurity Help s.r.o.

Published: 2020-12-11 | Updated: 2023-06-08

Vulnerability identifier: #VU50139

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-8908

CWE-ID: CWE-276

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Guava: Google Core Libraries For Java
Universal components / Libraries / Libraries used by multiple products

Vendor: Google

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for files located in the temporary directory set by the Guava com.google.common.io.Files.createTempDir(). A local user with access to the system can view contents of files and directories or modify them.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Guava: Google Core Libraries For Java: 1.0 - 31.1

External links
http://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40
http://github.com/google/guava/issues/4011
http://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e@%3Ccommits.ws.apache.org%3E
http://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6@%3Ccommits.cxf.apache.org%3E
http://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222@%3Ccommits.ws.apache.org%3E
http://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E
http://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf@%3Ccommits.cxf.apache.org%3E
http://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3@%3Ctorque-dev.db.apache.org%3E
http://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a@%3Ctorque-dev.db.apache.org%3E
http://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604@%3Ctorque-dev.db.apache.org%3E
http://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415
http://github.com/google/guava/issues/2575
http://github.com/google/guava/issues/4011
http://github.com/google/guava/releases/tag/v32.0.0

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Maximo Application Suite - IoT Component

IBM watsonx.data update for Google Guava

IBM watsonx.data update for Logback, Guava and Apache HTTPClient

IBM watsonx.data update for FasterXML jackson-databind

Multiple vulnerabilities in IBM QRadar SIEM

Multiple vulnerabilities in Dell ObjectScale

Multiple vulnerabilities in Dell PowerStoreT OS

Multiple vulnerabilities in IBM Storage Virtualize

Splunk Enterprise update for third-party components

Multiple vulnerabilities in Dell PowerStore Family