Advisories for Maven/Com.google.guava/Guava package

2023

Files or Directories Accessible to External Parties

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version …

2020

Incorrect Permission Assignment for Critical Resource

A temp directory creation vulnerability exist in Guava allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir().The permissions granted to the directory created default to the standard unix-like/tmp` ones, leaving the files open.

2018

Deserialization of Untrusted Data

Unbounded memory allocation allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.