Bug 1906919 (CVE-2020-8908)
| Summary: | CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | abenaiss, aboyko, ahenning, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bibryam, bkearney, bmaxwell, bmontgom, boliveir, brian.stansberry, btofel, btotty, caswilli, cdewolf, chazlett, chfoley, clement.escoffier, cmiranda, dandread, darran.lofthouse, dbecker, dhanak, dkreling, dmoppert, dosoudil, drichtar, drieden, ecerquei, eglynn, ehelms, eleandro, eparis, eric.wittmann, etirelli, extras-orphan, fjuma, fmongiar, ganandan, ggainey, ggaughan, gmalinko, gsmet, gvarsami, hamadhan, hbraun, hhorak, hhudgeon, huwang, ibek, istudens, ivassile, iweiss, janstey, java-maint, java-maint-sig, jawilson, jburrell, jcantril, jcoleman, jjoyce, jkoops, jmartisk, jnethert, jochrist, jokerman, jolee, jorton, jpallich, jperkins, jrokos, jross, jsamir, jschatte, jschluet, jscholz, jstastny, juwatts, jwon, kaycoth, kconner, krathod, kverlaen, kwills, ldimaggi, lgao, lhh, loleary, lpeer, lsvaty, lthon, lzap, manderse, mburns, mgarciac, mhulan, mizdebsk, mkolesni, mmccune, mnovotny, mosmerov, msochure, msvehla, mszynkie, nipatil, nmoumoul, nstielau, nwallace, olubyans, pantinor, pbhattac, pcongius, pcreech, pdelbell, pdrozd, peholase, pesilva, pgallagh, pgrist, pjindal, pmackay, porcelli, probinso, pskopek, rchan, rguimara, rhel8-maint, rjerrido, rkieley, rkubis, rmartinc, rowaters, rrajasek, rruss, rstancel, rstepani, rsvoboda, rsynek, rwagner, sadams, sausingh, sbiarozk, sclewis, scohen, sdaley, sd-operator-metering, sdouglas, sguilhen, slinaber, smaestri, smallamp, sokeeffe, spinder, sponnaga, stewardship-sig, sthirugn, sthorger, swoodman, tcunning, theute, tkirby, tom.jenkinson, tqvarnst, vbobade, vhalbert, vkrizan, vondruch |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | guava 30.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Guava that creates temporary directories with default permissions similar to /tmp. This issue may allow local users access, possibly permitting information exposure.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-02-04 14:41:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1906920, 1906921, 1906922, 1906923, 1907649, 1907650, 1907651, 1907652, 1907653, 1907654, 1907655, 1907656, 1908330, 1908332, 1909294, 1909295, 1909297, 1911484, 1913092, 1913093 | ||
| Bug Blocks: | 1906924, 2014197 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-12-11 19:07:56 UTC
Created guava tracking bugs for this issue: Affects: fedora-all [bug 1906920] Created guava20 tracking bugs for this issue: Affects: fedora-32 [bug 1906921] Created maven:3.5/guava20 tracking bugs for this issue: Affects: fedora-all [bug 1906922] Created maven:3.6/guava tracking bugs for this issue: Affects: fedora-all [bug 1906923] OpenShift Container Platform separates /tmp directory in a container from that on the host. Unprivileged containers such as the ones which include the guava dependency do not have permissions to mount the host, or other container's /tmp directory so this vulnerability has no impact. Statement: Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws. This issue has been addressed in the following products: Red Hat AMQ 7.8.1 Via RHSA-2021:0417 https://access.redhat.com/errata/RHSA-2021:0417 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8908 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2021:0885 https://access.redhat.com/errata/RHSA-2021:0885 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2021:0873 https://access.redhat.com/errata/RHSA-2021:0873 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2021:0874 https://access.redhat.com/errata/RHSA-2021:0874 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2021:0872 https://access.redhat.com/errata/RHSA-2021:0872 This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.6 Via RHSA-2021:0974 https://access.redhat.com/errata/RHSA-2021:0974 This issue has been addressed in the following products: Red Hat EAP-XP via EAP 7.3.x base Via RHSA-2021:2210 https://access.redhat.com/errata/RHSA-2021:2210 This issue has been addressed in the following products: Red Hat Satellite 6.10 for RHEL 7 Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702 This issue has been addressed in the following products: RHINT Camel-Q 2.2.1 Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013 This issue has been addressed in the following products: RHINT Camel-K 1.6.4 Via RHSA-2022:1029 https://access.redhat.com/errata/RHSA-2022:1029 |