Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Update guava version to latest to address CVE-2023-2976

Description

Update guava version to 32.0.1 or later to address CVE-2023-2976

pkg:maven/com.google.guava/guava@31.1-jre

Detail:

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Acceptance / Success Criteria

None

Activity

Show:

Christian Pape October 9, 2024 at 6:18 AM
Edited

As far as I understand CVE-2023-2976, the vulnerability is due to the class FileBackedOutputStream of Google Guava, which allows an attacker to get access to temporary files. Since we did not use the class FileBackedOutputStream in our code this does not seem to be a problem for us and does not affect us.
Of course it is possible that one of our dependencies we rely on use this vulnerable class.

One of the problematic dependencies is the Jest library we use. This is still using Guava version 21 even in their latest release. I checked out this project and even this is not using the vulnerable class.

Nishtha Kaura October 8, 2024 at 4:42 PM

Information Security Review

Impact: Files or Directories accessible to external parties

CVSS v3.1 Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS score 5.5 x likelihood high 1 = 5.5 medium

Details

Assignee

Reporter

Labels

HB Grooming Date

HB Backlog Status

Sprint

Fix versions

Priority

Parent

PagerDuty

Created September 26, 2024 at 7:49 PM
Updated October 25, 2024 at 3:19 PM