CVE-2020-8908: Guava Temporary Directory Permission Information Disclosure Vulnerability

CVE-2020-8908 identifies an information disclosure vulnerability in Google Guava library that creates temporary directories with insecure world-readable permissions through the com.google.common.io.Files.createTempDir() method on Unix-like systems. This vulnerability affects all Guava versions prior to 32.0.0-android (deprecated in 30.0), achieving a CVSS score of 3.3 (Low severity) with an EPSS score of 19.6 percentile and 0.1% exploitation probability, indicating limited but persistent risk for applications storing sensitive data in temporary directories. The vulnerability details reveal that the createTempDir() method creates directories with default Unix permissions that grant read access to all system users, potentially exposing sensitive application data to local attackers with system access. This creates exploit risk for Java applications that process confidential data through temporary file operations, particularly affecting multi-user systems, shared hosting environments, and enterprise applications where multiple users or processes have access to the same system and could potentially read temporary files created by other applications using vulnerable Guava versions. The technical root cause lies in Guava's createTempDir() implementation and FileBackedOutputStream.update() method, which create filesystem resources without setting restrictive permissions, classified as CWE-173 (Improper Handling of Alternate Encoding), creating a vector for known exploited vulnerabilities targeting local information disclosure through insecure file permissions. The vulnerability specifically affects Unix-like systems where the /tmp directory is shared among all users, and the default file creation permissions allow broader access than intended for sensitive temporary data storage. Google's response involved deprecating the vulnerable method rather than fixing it directly, acknowledging that better alternatives exist in modern Java versions. Mitigation strategies include migrating to secure alternatives such as java.nio.file.Files.createTempDirectory() which explicitly sets permissions to 700 (owner-only access), using Android's context.getCacheDir() for Android applications, or configuring the java.io.tmpdir system property to point to directories with appropriately restrictive permissions. Organizations should prioritize identifying all Java applications using vulnerable Guava versions with temporary directory operations, audit applications for sensitive data processing through temporary files, implement proper file permission controls for temporary data storage, and maintain updated CVE database records to track similar file permission vulnerabilities that could compromise application security through insecure temporary file handling and inadequate access controls in shared system environments.