Vulnerability Details : CVE-2020-8908
Potential exploit
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Products affected by CVE-2020-8908
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*
- Oracle » Retail Customer Management And Segmentation FoundationVersions from including (>=) 16.0 and up to, including, (<=) 19.0cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:google:guava:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
- cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-8908
0.01%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-8908
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
|
3.3
|
LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
1.8
|
1.4
|
Google Inc. | |
|
3.3
|
LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
1.8
|
1.4
|
NIST |
CWE ids for CVE-2020-8908
-
Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.Assigned by: cve-coordination@google.com (Secondary)
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-8908
-
https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322%40%3Cgitbox.hive.apache.org%3E
[GitHub] [hive] lujiefsi opened a new pull request #2725: HIVE-25617:fix CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc%40%3Cissues.geode.apache.org%3E
[jira] [Updated] (GEODE-9744) bug CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09%40%3Cyarn-issues.hadoop.apache.org%3E
[jira] [Resolved] (YARN-10980) fix CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E
[GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core-Apache Mail ArchivesThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54%40%3Cdev.drill.apache.org%3E
[GitHub] [drill] luocooong commented on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97%40%3Cissues.geode.apache.org%3E
[jira] [Updated] (GEODE-9744) like CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5%40%3Cissues.hive.apache.org%3E
[jira] [Work logged] (HIVE-25617) fix CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf%40%3Ccommits.cxf.apache.org%3E
[cxf] 03/04: Updating Guava to 30.1 due to CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3%40%3Ctorque-dev.db.apache.org%3E
Build failed in Jenkins: DB » Torque » Torque5-trunk #7-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27%40%3Cyarn-dev.hadoop.apache.org%3E
[jira] [Resolved] (YARN-10980) fix CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c%40%3Cissues.hive.apache.org%3E
[jira] [Updated] (HIVE-25617) fix CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://www.oracle.com//security-alerts/cpujul2021.html
Oracle Critical Patch Update Advisory - July 2021Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44%40%3Cissues.geode.apache.org%3E
[jira] [Updated] (GEODE-9744) bug like CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2022.html
Oracle Critical Patch Update Advisory - January 2022Third Party Advisory
-
https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40
Deprecate Files.createTempDir(), noting that better alternatives exis… · google/guava@fec0dbc · GitHubPatch;Third Party Advisory
-
https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3%40%3Cyarn-issues.hadoop.apache.org%3E
[jira] [Updated] (YARN-10980) fix CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27%40%3Cyarn-issues.hadoop.apache.org%3E
[jira] [Created] (YARN-10980) fix CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21%40%3Ccommon-issues.hadoop.apache.org%3E
[GitHub] [hadoop] lujiefsi edited a comment on pull request #3561: YARN-10980:fix CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85%40%3Cissues.geode.apache.org%3E
[jira] [Updated] (GEODE-9744) fix CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a%40%3Cdev.drill.apache.org%3E
[GitHub] [drill] cgivre commented on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1-Apache Mail ArchivesThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuApr2021.html
Oracle Critical Patch Update Advisory - April 2021Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E
[GitHub] [arrow] projjal opened a new pull request #10501: ARROW-13032: Update guava version-Apache Mail ArchivesThird Party Advisory
-
https://github.com/google/guava/issues/4011
CVE-2020-8908: Files::createTempDir local information disclosure vulnerability · Issue #4011 · google/guava · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20220210-0003/
CVE-2020-8908 Guava Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac%40%3Ccommon-issues.hadoop.apache.org%3E
[GitHub] [hadoop] lujiefsi opened a new pull request #3561: Yarn 10980-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E
[GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #817: build: CVE fix-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6%40%3Cyarn-issues.hadoop.apache.org%3E
[jira] [Commented] (YARN-10980) fix CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604%40%3Ctorque-dev.db.apache.org%3E
Antwort: Re: Items for our (delayed) quarterly report to the board?-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a%40%3Ctorque-dev.db.apache.org%3E
Re: Items for our (delayed) quarterly report to the board?-Apache Mail ArchivesThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e%40%3Cyarn-dev.hadoop.apache.org%3E
[jira] [Created] (YARN-10980) fix CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14%40%3Cdev.drill.apache.org%3E
[GitHub] [drill] ssainz commented on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222%40%3Ccommits.ws.apache.org%3E
[ws-wss4j] branch master updated: Updating Guava to 30.1 due to CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6%40%3Ccommits.cxf.apache.org%3E
[cxf] 02/02: Updating Guava to 30.1 due to CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199%40%3Cyarn-issues.hadoop.apache.org%3E
[jira] [Comment Edited] (YARN-10980) fix CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf%40%3Cdev.pig.apache.org%3E
[GitHub] [pig] lujiefsi opened a new pull request #36: PIG-5417:Replace guava's Files.createTempDir()-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e%40%3Ccommits.ws.apache.org%3E
[ws-wss4j] branch 2_3_x-fixes updated: Updating Guava to 30.1 due to CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4%40%3Cdev.drill.apache.org%3E
[GitHub] [drill] ssainz edited a comment on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1-Apache Mail ArchivesThird Party Advisory
-
https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415
Information Disclosure in com.google.guava:guava | SnykExploit;Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625%40%3Cissues.geode.apache.org%3E
[jira] [Created] (GEODE-9744) fix CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
-
https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f%40%3Cdev.hive.apache.org%3E
[jira] [Created] (HIVE-25617) fix CVE-2020-8908-Apache Mail ArchivesThird Party Advisory
Jump to