Information Disclosure

Affecting com.google.guava:guava artifact, versions [, 30.0-android) || (30.0-android, 30.0-jre)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more.

Affected versions of this package are vulnerable to Information Disclosure. The file permissions on the file created by com.google.common.io.Files.createTempDir allows an attacker running a malicious program co-resident on the same machine can steal secrets stored in this directory. This is because by default on unix-like operating systems the /temp directory is shared between all users, so if the correct file permissions aren't set by the directory/file creator, the file becomes readable by all other users on that system.

PoC

File guavaTempDir = com.google.common.io.Files.createTempDir();
System.out.println("Guava Temp Dir: " + guavaTempDir.getName());
runLS(guavaTempDir.getParentFile(), guavaTempDir); // Prints the file permissions -> drwxr-xr-x
File child = new File(guavaTempDir, "guava-child.txt");
child.createNewFile();
runLS(guavaTempDir, child); // Prints the file permissions -> -rw-r--r--

Remediation

Upgrade com.google.guava:guava to version 30.0-android, 30.0-jre or higher.

References

CVSS Score

5.5
medium severity
  • Attack Vector
    Local
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/RL:O
Credit
Jonathan Leitschuh
CWE
CWE-200
Snyk ID
SNYK-JAVA-COMGOOGLEGUAVA-1015415
Disclosed
02 Oct, 2020
Published
23 Oct, 2020