1 via 1 paths







Find, fix and prevent vulnerabilities in your code.

  • 1
  • 1
  • 0
  • 0

low severity

Information Disclosure

  • Vulnerable module:
  • Introduced through:

Detailed paths

  • Introduced through: alkal-io/kalium@alkal-io/kalium#ec9f969da2e56ea5e21a7460c3fa2c9e95541dee
    Remediation: Upgrade to

Overview is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more.

Affected versions of this package are vulnerable to Information Disclosure. The file permissions on the file created by allows an attacker running a malicious program co-resident on the same machine to steal secrets stored in this directory. This is because, by default, on unix-like operating systems the /tmp directory is shared between all users, so if the correct file permissions aren't set by the directory/file creator, the file becomes readable by all other users on that system.


File guavaTempDir =;
System.out.println("Guava Temp Dir: " + guavaTempDir.getName());
runLS(guavaTempDir.getParentFile(), guavaTempDir); // Prints the file permissions -> drwxr-xr-x
File child = new File(guavaTempDir, "guava-child.txt");
runLS(guavaTempDir, child); // Prints the file permissions -> -rw-r--r--

For Android developers, it is recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's system property to point to a location whose permissions are appropriately configured.


There is no fix for However, in version 30.0 and above, the vulnerable functionality has been deprecated. In oder to mitigate this vulnerability, upgrade for version 30.0 or higher and ensure your dependencies don't use the createTempFile or createTempFile methods.