{"schema_version":"1.7.2","id":"OESA-2021-1049","modified":"2021-03-05T11:02:38Z","published":"2021-03-05T11:02:38Z","upstream":["CVE-2020-8908"],"summary":"guava security update","details":"Guava is a set of core Java libraries from Google that includes new collection types (such as multimap and multiset), immutable collections, a graph library, and utilities for concurrency, I/O, hashing, caching, primitives, strings, and more! It is widely used on most Java projects within Google, and widely used by many other companies as well.\r\n\r\nSecurity Fix(es):\r\n\r\nA temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.(CVE-2020-8908)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP1","name":"guava","purl":"pkg:rpm/openEuler/guava\u0026distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"25.0-5.oe1"}]}],"ecosystem_specific":{"noarch":["guava-help-25.0-5.oe1.noarch.rpm","guava-testlib-25.0-5.oe1.noarch.rpm","guava-25.0-5.oe1.noarch.rpm"],"src":["guava-25.0-5.oe1.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1049"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8908"}],"database_specific":{"severity":"Low"}}