CVE-2020-8908: Guava Temporary Directory Permission Information Disclosure Vulnerability
3.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.19656%
CWE
Published
3/25/2021
Updated
11/9/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.google.guava:guava | maven | < 32.0.0-android | 32.0.0-android |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability CVE-2020-8908 concerns the creation of temporary directories (and by extension, files) with insecure default permissions in Guava.
- The primary function identified in the vulnerability description is
com.google.common.io.Files.createTempDir
. The patchfeb83a1c8fd2e7670b244d5afd23cba5aca43284
clearly shows the removal of the insecure implementation (a loop callingFile.mkdir()
) and its replacement with a call to a new secureTempFileCreator
. - The same commit
feb83a1c8fd2e7670b244d5afd23cba5aca43284
also modifiedcom.google.common.io.FileBackedOutputStream
. Specifically, its privateupdate
method, which is responsible for creating a temporary file when a data threshold is met duringwrite
operations, was changed. Previously, it usedjava.io.File.createTempFile
directly, which could also result in insecure permissions. The commit message explicitly links the changes inFileBackedOutputStream
to the fix for CVE-2020-8908. Both functions, in their pre-patch state, created filesystem resources in the system's temporary directory without ensuring restrictive permissions, making them vulnerable to information disclosure to other local users on the machine.