alkal-io/kalium

Vulnerabilities

1 via 1 paths

Dependencies

9

Source

GitHub

Commit

ec9f969d

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Information Disclosure

  • Vulnerable module: com.google.guava:guava
  • Introduced through: com.google.guava:guava@28.1-jre

Detailed paths

  • Introduced through: alkal-io/kalium@alkal-io/kalium#ec9f969da2e56ea5e21a7460c3fa2c9e95541dee com.google.guava:guava@28.1-jre
    Remediation: Upgrade to com.google.guava:guava@30.0-android.

Overview

com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more.

Affected versions of this package are vulnerable to Information Disclosure. The file permissions on the file created by com.google.common.io.Files.createTempDir allows an attacker running a malicious program co-resident on the same machine can steal secrets stored in this directory. This is because by default on unix-like operating systems the /temp directory is shared between all users, so if the correct file permissions aren't set by the directory/file creator, the file becomes readable by all other users on that system.

PoC

File guavaTempDir = com.google.common.io.Files.createTempDir();
System.out.println("Guava Temp Dir: " + guavaTempDir.getName());
runLS(guavaTempDir.getParentFile(), guavaTempDir); // Prints the file permissions -> drwxr-xr-x
File child = new File(guavaTempDir, "guava-child.txt");
child.createNewFile();
runLS(guavaTempDir, child); // Prints the file permissions -> -rw-r--r--

For Android developers, it is recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Remediation

Upgrade com.google.guava:guava to version 30.0-android, 30.0-jre or higher.

References