Incorrect default permissions in Guava: Google Core Libraries For Java

#VU50139 Incorrect default permissions in Guava: Google Core Libraries For Java

Published: 2020-12-11 | Updated: 2023-06-08

Vulnerability identifier: #VU50139

Vulnerability risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8908

CWE-ID: CWE-276

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Guava: Google Core Libraries For Java
Universal components / Libraries / Libraries used by multiple products

Vendor: Google

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for files located in the temporary directory set by the Guava com.google.common.io.Files.createTempDir(). A local user with access to the system can view contents of files and directories or modify them.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Guava: Google Core Libraries For Java: 1.0 - 31.1

External links
http://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40
http://github.com/google/guava/issues/4011
http://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e@%3Ccommits.ws.apache.org%3E
http://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6@%3Ccommits.cxf.apache.org%3E
http://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222@%3Ccommits.ws.apache.org%3E
http://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E
http://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf@%3Ccommits.cxf.apache.org%3E
http://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3@%3Ctorque-dev.db.apache.org%3E
http://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a@%3Ctorque-dev.db.apache.org%3E
http://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604@%3Ctorque-dev.db.apache.org%3E
http://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415
http://github.com/google/guava/issues/2575
http://github.com/google/guava/issues/4011
http://github.com/google/guava/releases/tag/v32.0.0

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Splunk Enterprise update for third-party components

Multiple vulnerabilities in Dell PowerStore Family

Multiple vulnerabilities in IBM Engineering Systems Design Rhapsody

Multiple vulnerabilities in IBM Operational Decision Manager

SUSE update for guava

SUSE update for Maintenance update for SUSE Manager 4.2: Server, Proxy and Retail Branch Server

Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

Multiple vulnerabilities in IBM Planning Analytics Workspace

Multiple vulnerabilities in IBM Netcool Operations Insight

Incorrect default permissions in IBM Jazz Reporting Services