Vulnerability description
Guava is an open source Java code library developed by Google that provides commonly used Java tools and data structures.
The FileBackedOutputStream class in Guava 1.0 to 31.1 uses Java's default temporary directory to create files. Since the created file name is easy for attackers to guess, in Unix and Android Ice Cream Sandwich systems, attackers with access to the default Java temporary directory are allowed Malicious files with the same name can be created causing file conflicts, allowing the attacker to manipulate the behavior of the application if the application depends on the malicious file created by the attacker.
Version 32.0.0 fixes this vulnerability but is not compatible with Windows systems. It is recommended that Windows systems be upgraded to version 32.0.1.
| Vulnerability name | Guava<32.0.0 has a race condition vulnerability |
|---|---|
| Vulnerability type | Create temporary files with insecure permissions |
| Discovery time | 2023/6/15 |
| Vulnerability Breadth | generally |
| MPS number | MPS-mfku-xzh3 |
| CVE number | CVE-2023-2976 |
| CNVD number | - |
Sphere of influence
com.google.guava:guava@[1.0, 32.0.0-jre)
guava-libraries@ affects all versions
guava-libraries@ affects all versions
Repair plan
Create temporary files using safe functions like tmpnam
Change the temporary files directory to a secure directory and make sure the directory has the appropriate permissions set
reference link
https://www.oscs1024.com/hd/MPS-mfku-xzh3
https://nvd.nist.gov/vuln/detail/CVE-2023-2976
https://github.com/google/guava/issues/2575
https://github.com/google/guava/issues/6532
http:// https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284
About Murphy Security
Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.
Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj
The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.
Free code security detection tool: https://www.murphysec.com/?sf=qbyj
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj
