CVE-2023-2976
Information Exposure vulnerability in guava (Maven)
What is CVE-2023-2976 About?
This vulnerability in Google Guava's `FileBackedOutputStream` (versions 1.0 to 31.1 on Unix and Android ICS) is an Information Exposure issue relating to file creation. It uses Java's default temporary directory, making created files accessible to other users or apps on the machine. Exploitation is local and low complexity if other system users exist.
Affected Software
Technical Details
The FileBackedOutputStream class in Google Guava, across versions 1.0 to 31.1 (specifically on Unix systems and Android Ice Cream Sandwich), utilizes Java's default temporary directory for file creation. This is problematic because the default permissions or location of Java's temporary directory often allow read/write access to other local users or applications on the same machine. Consequently, any files created by FileBackedOutputStream for temporary storage can be accessed, read, or potentially modified by unauthorized local entities, leading to information exposure or possible data tampering, as the files are not adequately isolated.
What is the Impact of CVE-2023-2976?
Successful exploitation may allow attackers to obtain sensitive information from temporary files created by the application, or potentially alter application data stored temporarily, leading to unauthorized data access or integrity compromise.
What is the Exploitability of CVE-2023-2976?
Exploitation of this vulnerability is of low complexity. It is a local vulnerability, meaning an attacker must have access to the same machine where the vulnerable application is running. There are no authentication or privilege requirements against the application itself to access the temporary files, only standard filesystem access to the default Java temporary directory. The risk increases on multi-user systems or systems running multiple applications (potentially untrusted) that can access shared temporary directories. The primary risk factor is the deployment of applications using vulnerable Guava versions in environments where local users or processes are not fully trusted or isolated.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-2976?
About the Fix from Resolved Security
Available Upgrade Options
- com.google.guava:guava
- >1.0, <32.0.0-android → Upgrade to 32.0.0-android
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284
- https://github.com/google/guava/issues/6532
- https://nvd.nist.gov/vuln/detail/CVE-2023-2976
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html
- https://github.com/google/guava/issues/2575
- https://github.com/google/guava/releases/tag/v32.0.0
- https://security.netapp.com/advisory/ntap-20230818-0008/
- https://github.com/google/guava/issues/2575
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html
- https://security.netapp.com/advisory/ntap-20230818-0008
What are Similar Vulnerabilities to CVE-2023-2976?
Similar Vulnerabilities: CVE-2023-25164 , CVE-2022-23438 , CVE-2021-36371 , CVE-2023-44483 , CVE-2022-26284
