CVE-2020-8908 (CNNVD-202012-827)
LOW
中文标题:
Google Guava 访问控制错误漏洞
英文标题:
Temp directory permission issue in Guava
CVSS分数:
3.3
发布时间:
2020-12-10 22:10:58
漏洞类型:
授权问题
状态:
PUBLISHED
数据质量分数:
0.30
数据版本:
v3
漏洞描述
中文描述:
Google Guava是美国谷歌(Google)公司的一款包括图形库、函数类型、I/O和字符串处理等的Java核心库。 Google Guava 30.0版本之前存在访问控制错误漏洞,该漏洞源于Guava存在一个临时目录创建漏洞,允许访问机器的攻击者可利用该漏洞潜在地访问由Guava com.google.common.io. Files. createTempDir() 创建的临时目录中的数据。攻击者可以利用该漏洞访问特殊目录。
英文描述:
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE类型:
CWE-732
CWE-378
标签:
(暂无数据)
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| Google LLC | Guava | - | < 32.0 | - |
cpe:2.3:a:google_llc:guava:*:*:*:*:*:*:*:*
|
| guava | * | - | - |
cpe:2.3:a:google:guava:*:*:*:*:*:*:*:*
|
|
| quarkus | quarkus | * | - | - |
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
|
| oracle | commerce_guided_search | 11.3.2 | - | - |
cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
|
| oracle | communications_cloud_native_core_network_slice_selection_function | 1.2.1 | - | - |
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:*:*:*:*:*:*:*
|
| oracle | communications_pricing_design_center | 12.0.0.4.0 | - | - |
cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.4.0:*:*:*:*:*:*:*
|
| oracle | communications_pricing_design_center | 12.0.0.5.0 | - | - |
cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.5.0:*:*:*:*:*:*:*
|
| oracle | data_integrator | 12.2.1.3.0 | - | - |
cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*
|
| oracle | data_integrator | 12.2.1.4.0 | - | - |
cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*
|
| oracle | nosql_database | * | - | - |
cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*
|
| oracle | peoplesoft_enterprise_peopletools | 8.57 | - | - |
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
|
| oracle | peoplesoft_enterprise_peopletools | 8.58 | - | - |
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
|
| oracle | peoplesoft_enterprise_peopletools | 8.59 | - | - |
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
|
| oracle | retail_customer_management_and_segmentation_foundation | * | - | - |
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*
|
| oracle | weblogic_server | 14.1.1.0.0 | - | - |
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
|
| oracle | communications_cloud_native_core_network_repository_function | 1.14.0 | - | - |
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.14.0:*:*:*:*:*:*:*
|
| oracle | primavera_unifier | * | - | - |
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
|
| oracle | primavera_unifier | 18.8 | - | - |
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
|
| oracle | primavera_unifier | 19.12 | - | - |
cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
|
| oracle | primavera_unifier | 20.12 | - | - |
cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
|
| oracle | primavera_unifier | 21.12 | - | - |
cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
|
| netapp | active_iq_unified_manager | - | - | - |
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
|
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
无标题
x_refsource_CONFIRM
cve.org
访问
cve.org
无标题
x_refsource_CONFIRM
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
[ws-commits] 20210104 [ws-wss4j] branch master updated: Updating Guava to 30.1 due to CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[ws-commits] 20210104 [ws-wss4j] branch 2_3_x-fixes updated: Updating Guava to 30.1 due to CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[cxf-commits] 20210104 [cxf] 03/04: Updating Guava to 30.1 due to CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[cxf-commits] 20210104 [cxf] 02/02: Updating Guava to 30.1 due to CVE-2020-8908
mailing-list
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
[maven-issues] 20210122 [GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core
mailing-list
cve.org
访问
cve.org
[db-torque-dev] 20210127 Re: Items for our (delayed) quarterly report to the board?
mailing-list
cve.org
访问
cve.org
[db-torque-dev] 20210128 Antwort: Re: Items for our (delayed) quarterly report to the board?
mailing-list
cve.org
访问
cve.org
[pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities
mailing-list
cve.org
访问
cve.org
[myfaces-dev] 20210506 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #817: build: CVE fix
mailing-list
cve.org
访问
cve.org
[arrow-github] 20210610 [GitHub] [arrow] projjal opened a new pull request #10501: ARROW-13032: Update guava version
mailing-list
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
[drill-dev] 20210618 [GitHub] [drill] ssainz edited a comment on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1
mailing-list
cve.org
访问
cve.org
[drill-dev] 20210618 [GitHub] [drill] ssainz commented on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1
mailing-list
cve.org
访问
cve.org
[drill-dev] 20210618 [GitHub] [drill] cgivre commented on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1
mailing-list
cve.org
访问
cve.org
[drill-dev] 20210619 [GitHub] [drill] luocooong commented on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1
mailing-list
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
[hadoop-yarn-issues] 20211018 [jira] [Updated] (YARN-10980) fix CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[hadoop-yarn-dev] 20211018 [jira] [Created] (YARN-10980) fix CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[hadoop-common-issues] 20211018 [GitHub] [hadoop] lujiefsi opened a new pull request #3561: Yarn 10980
mailing-list
cve.org
访问
cve.org
[hadoop-yarn-issues] 20211018 [jira] [Created] (YARN-10980) fix CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[hadoop-yarn-dev] 20211018 [jira] [Resolved] (YARN-10980) fix CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[hive-dev] 20211018 [jira] [Created] (HIVE-25617) fix CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[hadoop-common-issues] 20211018 [GitHub] [hadoop] lujiefsi edited a comment on pull request #3561: YARN-10980:fix CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) fix CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[hive-issues] 20211018 [jira] [Updated] (HIVE-25617) fix CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[hive-issues] 20211018 [jira] [Work logged] (HIVE-25617) fix CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[hadoop-yarn-issues] 20211018 [jira] [Comment Edited] (YARN-10980) fix CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[hadoop-yarn-issues] 20211018 [jira] [Resolved] (YARN-10980) fix CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[hive-gitbox] 20211018 [GitHub] [hive] lujiefsi opened a new pull request #2725: HIVE-25617:fix CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[hadoop-yarn-issues] 20211018 [jira] [Commented] (YARN-10980) fix CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[geode-issues] 20211018 [jira] [Created] (GEODE-9744) fix CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) bug like CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) bug CVE-2020-8908
mailing-list
cve.org
访问
cve.org
[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) like CVE-2020-8908
mailing-list
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
[pig-dev] 20211021 [GitHub] [pig] lujiefsi opened a new pull request #36: PIG-5417:Replace guava's Files.createTempDir()
mailing-list
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
无标题
x_refsource_MISC
cve.org
访问
cve.org
无标题
x_refsource_CONFIRM
cve.org
访问
cve.org
CVSS评分详情
3.1 (cna)
LOW
3.3
CVSS向量:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
机密性
LOW
完整性
NONE
可用性
NONE
时间信息
发布时间:
2020-12-10 22:10:58
修改时间:
2024-08-04 10:12:10
创建时间:
2025-11-11 15:36:29
更新时间:
2025-11-11 15:56:33
利用信息
暂无可利用代码信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2020-8908 |
2025-11-11 15:20:43 | 2025-11-11 07:36:29 |
| NVD | nvd_CVE-2020-8908 |
2025-11-11 14:57:06 | 2025-11-11 07:44:52 |
| CNNVD | cnnvd_CNNVD-202012-827 |
2025-11-11 15:10:32 | 2025-11-11 07:56:33 |
版本与语言
当前版本:
v3
主要语言:
EN
支持语言:
EN
ZH
安全公告
暂无安全公告信息
变更历史
v3
CNNVD
2025-11-11 15:56:33
vulnerability_type: 未提取 → 授权问题; cnnvd_id: 未提取 → CNNVD-202012-827; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
- vulnerability_type: 未提取 -> 授权问题
- cnnvd_id: 未提取 -> CNNVD-202012-827
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2
NVD
2025-11-11 15:44:52
affected_products_count: 1 → 22; data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
- affected_products_count: 1 -> 22
- data_sources: ['cve'] -> ['cve', 'nvd']