正文

Google Guava 访问控制错误漏洞

admin
admin V管理员 /0 评论 /11 阅读
0302
此篇文章发布距今已超过1216天,您需要注意文章的内容或图片是否可用!

漏洞信息详情

Google Guava 访问控制错误漏洞

  • CNNVD编号:CNNVD-202012-827
    • <!--
  • 危害等级: 低危-->
  • 危害等级: 低危
  • CVE编号: CVE-2020-8908
  • 漏洞类型: 访问控制错误
  • 发布时间: 2020-12-10
  • 威胁类型: 本地
  • 更新时间: 2021-11-18
  • 厂        商:
  • 漏洞来源: Red Hat

漏洞简介

Google Guava是美国谷歌(Google)公司的一款包括图形库、函数类型、I/O和字符串处理等的Java核心库。

Guava 30.0版本之前存在访问控制错误漏洞,该漏洞源于Guava存在一个临时目录创建漏洞,允许访问机器的攻击者可利用该漏洞潜在地访问由Guava com.google.common.io. Files. createTempDir() 创建的临时目录中的数据。攻击者可以利用该漏洞访问特殊目录。

漏洞公告

目前厂商已发布升级补丁以修复漏洞,补丁获取链接:

https://github.com/google/guava/issues/4011

参考网址

来源:MLIST

链接:https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09@%3Cyarn-issues.hadoop.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14@%3Cdev.drill.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322@%3Cgitbox.hive.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594@%3Cdev.myfaces.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c@%3Cissues.hive.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f@%3Cdev.hive.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6@%3Ccommits.cxf.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54@%3Cdev.drill.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4@%3Cdev.drill.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf@%3Ccommits.cxf.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222@%3Ccommits.ws.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44@%3Cissues.geode.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a@%3Ctorque-dev.db.apache.org%3E

来源:CONFIRM

链接:https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40

来源:MLIST

链接:https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199@%3Cyarn-issues.hadoop.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a@%3Cdev.drill.apache.org%3E

来源:MISC

链接:https://www.oracle.com/security-alerts/cpuApr2021.html

来源:MLIST

链接:https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85@%3Cissues.geode.apache.org%3E

来源:MISC

链接:https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415

来源:MLIST

链接:https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27@%3Cyarn-issues.hadoop.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac@%3Ccommon-issues.hadoop.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625@%3Cissues.geode.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf@%3Cdev.pig.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3E

来源:CONFIRM

链接:https://github.com/google/guava/issues/4011

来源:MLIST

链接:https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3@%3Cyarn-issues.hadoop.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27@%3Cyarn-dev.hadoop.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5@%3Cissues.hive.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc@%3Cissues.geode.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e@%3Cyarn-dev.hadoop.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r037fed1d0ebde50c9caf8d99815db3093c344c3f651c5a49a09824ce@%3Cdev.drill.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97@%3Cissues.geode.apache.org%3E

来源:N/A

链接:https://www.oracle.com//security-alerts/cpujul2021.html

来源:MLIST

链接:https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21@%3Ccommon-issues.hadoop.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e@%3Ccommits.ws.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6@%3Cyarn-issues.hadoop.apache.org%3E

来源:MISC

链接:https://www.oracle.com/security-alerts/cpuoct2021.html

来源:MISC

链接:https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3@%3Ctorque-dev.db.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604@%3Ctorque-dev.db.apache.org%3E

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/161283/Red-Hat-Security-Advisory-2021-0417-01.html

来源:www.oracle.com

链接:https://www.oracle.com/security-alerts/cpuapr2021.html

来源:www.oracle.com

链接:https://www.oracle.com/security-alerts/cpuoct2021.html

来源:www.cybersecurity-help.cz

链接:https://www.cybersecurity-help.cz/vdb/SB2021072765

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.1924

来源:vigilance.fr

链接:https://vigilance.fr/vulnerability/Guava-file-reading-via-createTempDir-34862

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/161821/Red-Hat-Security-Advisory-2021-0885-01.html

来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2020-8908

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/162926/Red-Hat-Security-Advisory-2021-2210-01.html

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-guava-google-core-libraries-vulnerability-affects-ibm-control-center-cve-2020-8908/

来源:www.oracle.com

链接:https://www.oracle.com/security-alerts/cpujul2021.html

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/161935/Red-Hat-Security-Advisory-2021-0974-01.html

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-disconnected-log-collector-is-vulnerable-to-using-components-with-known-vulnerabilities/

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/161824/Red-Hat-Security-Advisory-2021-0874-01.html

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.3919

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-google-guava/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.2525

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities-10/

来源:www.cybersecurity-help.cz

链接:https://www.cybersecurity-help.cz/vdb/SB2021061815

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/164991/Red-Hat-Security-Advisory-2021-4702-01.html

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.0922

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.0410

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.1001

来源:www.cybersecurity-help.cz

链接:https://www.cybersecurity-help.cz/vdb/SB2021042104

来源:www.ibm.com

链接:https://www.ibm.com/support/pages/node/6493267

受影响实体

    暂无


补丁

  • Google Guava 访问控制错误漏洞的修复措施
    <!--
    2020-12-10
    -->