CVE-2023-2976

EUVD-2023-1730
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
GoogleCNA
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA-ADPADP
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
Affected Products (NVD)
VendorProductVersion
googleguava
𝑥
< 32.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
guava-libraries
bookworm
ignored
bullseye
no-dsa
buster
no-dsa
sid
32.0.1-1
fixed
trixie
32.0.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
guava-libraries
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
not-affected
trusty
ignored
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/google/guava/issues/2575
https://security.netapp.com/advisory/ntap-20230818-0008/
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html
https://github.com/google/guava/issues/2575
https://security.netapp.com/advisory/ntap-20230818-0008/
https://security.netapp.com/advisory/ntap-20241108-0002/
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html