Affecting com.google.guava:guava artifact, versions [, 30.0-android) || (30.0-android, 30.0-jre)Report new vulnerabilities
com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more.
Affected versions of this package are vulnerable to Information Disclosure. The file permissions on the file created by com.google.common.io.Files.createTempDir allows an attacker running a malicious program co-resident on the same machine can steal secrets stored in this directory. This is because by default on unix-like operating systems the /temp directory is shared between all users, so if the correct file permissions aren't set by the directory/file creator, the file becomes readable by all other users on that system.
File guavaTempDir = com.google.common.io.Files.createTempDir(); System.out.println("Guava Temp Dir: " + guavaTempDir.getName()); runLS(guavaTempDir.getParentFile(), guavaTempDir); // Prints the file permissions -> drwxr-xr-x File child = new File(guavaTempDir, "guava-child.txt"); child.createNewFile(); runLS(guavaTempDir, child); // Prints the file permissions -> -rw-r--r--
For Android developers, it is recommend choosing a temporary directory API provided by Android, such as
context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API
java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
com.google.guava:guava to version 30.0-android, 30.0-jre or higher.