正文

google guava 关键资源的不正确权限授予

admin
admin V管理员 /0 评论 /19 阅读
0418
此篇文章发布距今已超过1180天,您需要注意文章的内容或图片是否可用!

CVE编号

CVE-2020-8908

利用情况

暂无

补丁情况

官方补丁

披露时间

2020-12-11
漏洞描述
Google Guava是美国谷歌(Google)公司的一款包括图形库、函数类型、I/O和字符串处理等的Java核心库。
Guava 30.0版本之前存在访问控制错误漏洞,该漏洞源于Guava存在一个临时目录创建漏洞,允许访问机器的攻击者可利用该漏洞潜在地访问由Guava com.google.common.io.Files.createTempDir()创建的临时目录中的数据。攻击者可以利用该漏洞访问特殊目录。
解决建议
厂商已发布了漏洞修复程序,请及时关注更新:
https://github.com/google/guava/issues/4011
参考链接
https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40
https://github.com/google/guava/issues/4011
https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f6...
https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6...
https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f59...
https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb...
https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d055...
https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60...
https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328c...
https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08a...
https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350...
https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f...
https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423...
https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8ad...
https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817d...
https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8...
https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528e...
https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367...
https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb...
https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a056...
https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc...
https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0...
https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e8...
https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99...
https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a...
https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24a...
https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6...
https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce637...
https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc...
https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c...
https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05...
https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f51...
https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449...
https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73e...
https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083...
https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f...
https://security.netapp.com/advisory/ntap-20220210-0003/
https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 google guava * Up to
(excluding)
30.0
运行在以下环境
系统 fedora_35 guava * Up to
(excluding)
1.9.4-6.fc35
阿里云评分 3.4
  • 攻击路径 远程
  • 攻击复杂度 容易
  • 权限要求 无需权限
  • 影响范围 有限影响
  • EXP成熟度 未验证
  • 补丁情况 官方补丁
  • 数据保密性 无影响
  • 数据完整性 无影响
  • 服务器危害 无影响
  • 全网数量 N/A
CWE-ID 漏洞类型 CWE-732 关键资源的不正确权限授予