DEBIAN-CVE-2020-8908
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | guava-libraries | 32.0.1-1, 0, 31.1-1 |
| Debian:11 | guava-libraries | 0, 29.0-6, 32.0.1-1 |
| Debian:14 | guava-libraries | 0, 0, 0 |
| Debian | guava-libraries | |
| Debian:13 | guava-libraries | 0, 0, 0 |
Exploit Intelligence
- ScanOssFunTest.kt (github-poc)
- druid-612f0710.json (github-poc)
- pom.xml (github-poc)
- suppression.xml (github-poc)
- dependency-check-suppression.xml (github-poc)
- dependency-check-suppressions.xml (github-poc)
Timeline
- Dec 10, 2020 CVE Published
- Apr 28, 2026 CVE Updated