CVE编号
CVE-2020-8908利用情况
暂无补丁情况
官方补丁披露时间
2020-12-11漏洞描述
Google Guava是美国谷歌(Google)公司的一款包括图形库、函数类型、I/O和字符串处理等的Java核心库。Guava 30.0版本之前存在访问控制错误漏洞,该漏洞源于Guava存在一个临时目录创建漏洞,允许访问机器的攻击者可利用该漏洞潜在地访问由Guava com.google.common.io.Files.createTempDir()创建的临时目录中的数据。攻击者可以利用该漏洞访问特殊目录。
解决建议
厂商已发布了漏洞修复程序,请及时关注更新:https://github.com/google/guava/issues/4011
参考链接 |
|
---|---|
https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40 | |
https://github.com/google/guava/issues/4011 | |
https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f6... | |
https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6... | |
https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f59... | |
https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb... | |
https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d055... | |
https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60... | |
https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328c... | |
https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08a... | |
https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350... | |
https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f... | |
https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423... | |
https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8ad... | |
https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817d... | |
https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8... | |
https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528e... | |
https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367... | |
https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb... | |
https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a056... | |
https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc... | |
https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0... | |
https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e8... | |
https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99... | |
https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a... | |
https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24a... | |
https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6... | |
https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce637... | |
https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc... | |
https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c... | |
https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05... | |
https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f51... | |
https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449... | |
https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73e... | |
https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083... | |
https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f... | |
https://security.netapp.com/advisory/ntap-20220210-0003/ | |
https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415 | |
https://www.oracle.com//security-alerts/cpujul2021.html | |
https://www.oracle.com/security-alerts/cpuApr2021.html | |
https://www.oracle.com/security-alerts/cpujan2022.html | |
https://www.oracle.com/security-alerts/cpuoct2021.html |
受影响软件情况
# | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
1 | |||||||||
---|---|---|---|---|---|---|---|---|---|
运行在以下环境 | |||||||||
应用 | guava | * |
Up to (excluding) 30.0 |
||||||
运行在以下环境 | |||||||||
系统 | fedora_35 | guava | * |
Up to (excluding) 1.9.4-6.fc35 |
- 攻击路径 远程
- 攻击复杂度 容易
- 权限要求 无需权限
- 影响范围 有限影响
- EXP成熟度 未验证
- 补丁情况 官方补丁
- 数据保密性 无影响
- 数据完整性 无影响
- 服务器危害 无影响
- 全网数量 N/A
还没有评论,来说两句吧...