5.5

CVSS Score

Basic Information

CVE ID

CVE-2023-2976

GHSA ID

GHSA-7g45-4rm6-3mm3

EPSS Score

CWE

CWE-379

Published

6/14/2023

Updated

2/13/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-2976

CVE-2023-2976:
Guava vulnerable to insecure use of temporary directory

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

(GitHub Advisory)

5.5

CVSS Score

Basic Information

CVE ID

CVE-2023-2976

GHSA ID

GHSA-7g45-4rm6-3mm3

EPSS Score

CWE

CWE-379

Published

6/14/2023

Updated

2/13/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.google.guava:guava	maven	>= 1.0, < 32.0.0-android	32.0.0-android

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis is based on the provided commit feb83a1c8fd2e7670b244d5afd23cba5aca43284, which addresses the insecure use of temporary directories. The vulnerability description specifically mentions FileBackedOutputStream. The commit modifies this class and Files.createTempDir() to use a new, secure TempFileCreator.

com.google.common.io.FileBackedOutputStream:
- The constructors (<init>(int) and <init>(int, boolean)) are identified as vulnerable because they initialized the stream in a way that would lead to insecure temporary file creation. They previously passed null as the parentDirectory to an internal mechanism, causing the update(int) method to use File.createTempFile with the system's default temporary directory.
- The update(int) method is identified because it contained the actual call to File.createTempFile(..., parentDirectory), where parentDirectory could be null, leading to the insecure behavior.
com.google.common.io.Files.createTempDir():
- This method is identified as vulnerable because its original implementation created a directory in the default system temporary path (java.io.tmpdir) without ensuring appropriate, restricted permissions.

The patch replaces these vulnerable behaviors by delegating temporary file and directory creation to TempFileCreator.INSTANCE, which is designed to create them securely or fail if secure creation is not possible. The identified functions are those that contained the insecure logic before this fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Us* o* J*v*'s ****ult t*mpor*ry *ir**tory *or *il* *r**tion in `*il****k**OutputStr**m` in *oo*l* *u*v* v*rsions *.* to **.* on Unix syst*ms *n* *n*roi* I** *r**m S*n*wi** *llows ot**r us*rs *n* *pps on t** m***in* wit* ****ss to t** ****ult J*v* t*m

Reasoning

T** *n*lysis is **s** on t** provi*** *ommit `****************************************`, w*i** ***r*ss*s t** ins**ur* us* o* t*mpor*ry *ir**tori*s. T** vuln*r**ility **s*ription sp**i*i**lly m*ntions `*il****k**OutputStr**m`. T** *ommit mo*i*i*s t*i

5.5

Basic Information

Concerned about an active attack path?

CVE-2023-2976: Guava vulnerable to insecure use of temporary directory

5.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-2976:
Guava vulnerable to insecure use of temporary directory

Vulnerability Intelligence
Miggo AI