CVE-2020-8908
temp directory creation vulnerability in guava (Maven)
What is CVE-2020-8908 About?
This vulnerability in Guava allows for insecure temporary directory creation, potentially enabling attackers with local machine access to view sensitive data. The impact is significant as it can lead to information disclosure. Exploitation requires local access but otherwise appears straightforward due to default insecure permissions.
Affected Software
Technical Details
The vulnerability resides in the com.google.common.io.Files.createTempDir() method within Guava versions prior to 32.0.0. When this method is called, it creates a temporary directory. The issue stems from the default permissions assigned to this newly created directory, which typically default to standard Unix-like /tmp permissions. These permissions are often too broad, allowing other local users or processes on the same machine to access the contents of the temporary directory. An attacker with local access can therefore read sensitive data written into these directories, leading to information disclosure. The mechanism involves the application using this function to handle sensitive data, while the OS assigns world-readable permissions by default to the created directory.
What is the Impact of CVE-2020-8908?
Successful exploitation may allow attackers to bypass intended data isolation, read sensitive information stored in insecurely created temporary directories, and gain unauthorized access to data.
What is the Exploitability of CVE-2020-8908?
Exploitation requires local access to the machine running the vulnerable Guava application. No specific authentication or privilege requirements are explicitly stated beyond having sufficient access to interact with the local filesystem, suggesting that a standard user or an attacker who has already gained initial access could exploit this. The complexity is low as it leverages default insecure file permissions. Special conditions include the application actively using the createTempDir() method to store data that an attacker wishes to access. The risk factors increase if sensitive information is frequently processed and stored using this vulnerable method on multi-user systems.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-8908?
About the Fix from Resolved Security
Available Upgrade Options
- com.google.guava:guava
- <32.0.0-android → Upgrade to 32.0.0-android
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44@%3Cissues.geode.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199%40%3Cyarn-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625%40%3Cissues.geode.apache.org%3E
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21@%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222%40%3Ccommits.ws.apache.org%3E
- https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97%40%3Cissues.geode.apache.org%3E
What are Similar Vulnerabilities to CVE-2020-8908?
Similar Vulnerabilities: CVE-2017-1000366 , CVE-2016-1000027 , CVE-2011-3093 , CVE-2014-0466 , CVE-2019-14275
