Bug 2215229 (CVE-2023-2976)
Summary: | CVE-2023-2976 guava: insecure temporary directory creation | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
Component: | vulnerability | Assignee: | Sayan Biswas <sabiswas> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aazores, adupliak, aileenc, alampare, alazarot, almacdon, anstephe, aogburn, apjagtap, asatyam, asoldano, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, csutherl, dandread, darran.lofthouse, dfreiber, dhanak, dhughes, diagrawa, dkreling, dosoudil, drichtar, eaguilar, ebaron, eglynn, ehelms, emingora, eric.wittmann, fdemeloj, fjuma, fmongiar, gjospin, gmalinko, gsmet, gzaronik, ibek, ivassile, iweiss, janstey, jburrell, jcantril, jclere, jjoyce, jkang, jmartisk, jnethert, jolee, jpallich, jpechane, jpoth, jrokos, jross, jschatte, jscholz, jsherril, jstastny, jvanek, kverlaen, lbacciot, lgao, lhh, lthon, lzap, max.andersen, mburns, mgarciac, mhulan, mizdebsk, mmadzin, mnovotny, mosmerov, msochure, mstefank, msvehla, myarboro, nmoumoul, nwallace, orabin, pantinor, pcreech, pdelbell, pdrozd, peholase, periklis, pgallagh, pgrist, pjindal, pmackay, probinso, pskopek, rchan, rguimara, rhcs-maint, rjohnson, rkieley, rogbas, rowaters, rruss, rstancel, rsvoboda, saroy, sbiarozk, sdouglas, sfroberg, smaestri, sthorger, swoodman, szappis, tcunning, tom.jenkinson, tqvarnst, vkumar, yfang, yhuang |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | guava 32.0.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Guava. The methodology for temporary directories and files can allow other local users or apps with accordant permissions to access the temp files, possibly leading to information exposure or tampering in the files created in the directory.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2232210, 2215230, 2215231, 2215232, 2232209 | ||
Bug Blocks: | 2215233 |
Description
Sandipan Roy
2023-06-15 06:22:33 UTC
Created guava tracking bugs for this issue: Affects: fedora-37 [bug 2232209] Affects: fedora-38 [bug 2232210] This issue has been addressed in the following products: Red Hat AMQ Streams 2.5.0 Via RHSA-2023:5165 https://access.redhat.com/errata/RHSA-2023:5165 Hi Team, Customer reported this CVE affected image ubi8/openjdk-17:1.16-2. Do we have a plan to fix the CVE in this image? Any update will be appreciated. Image: https://catalog.redhat.com/software/containers/ubi8/openjdk-17/618bdbf34ae3739687568813?tag=1.16-2&push_date=1690216094000 Best Regards, Catherine This issue has been addressed in the following products: AMQ Broker 7.11.2 Via RHSA-2023:5491 https://access.redhat.com/errata/RHSA-2023:5491 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2023:7639 https://access.redhat.com/errata/RHSA-2023:7639 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2023:7637 https://access.redhat.com/errata/RHSA-2023:7637 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2023:7638 https://access.redhat.com/errata/RHSA-2023:7638 This issue has been addressed in the following products: EAP 7.4.14 Via RHSA-2023:7641 https://access.redhat.com/errata/RHSA-2023:7641 This issue has been addressed in the following products: Red Hat AMQ Streams 2.6.0 Via RHSA-2023:7678 https://access.redhat.com/errata/RHSA-2023:7678 This issue has been addressed in the following products: Red Hat build of Quarkus 2.13.9 Via RHSA-2023:7700 https://access.redhat.com/errata/RHSA-2023:7700 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.14 Via RHSA-2024:0777 https://access.redhat.com/errata/RHSA-2024:0777 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.12 Via RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2024:0799 https://access.redhat.com/errata/RHSA-2024:0799 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2024:0800 https://access.redhat.com/errata/RHSA-2024:0800 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2024:0798 https://access.redhat.com/errata/RHSA-2024:0798 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2024:0801 https://access.redhat.com/errata/RHSA-2024:0801 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2024:0804 https://access.redhat.com/errata/RHSA-2024:0804 This issue has been addressed in the following products: MTA-6.2-RHEL-9 MTA-6.2-RHEL-8 Via RHSA-2024:1027 https://access.redhat.com/errata/RHSA-2024:1027 Marking EAP-8 as not affected because EAP 8 GA was released with the fixed version. This issue has been addressed in the following products: Red Hat build of Apache Camel 4.4.0 for Spring Boot Via RHSA-2024:2707 https://access.redhat.com/errata/RHSA-2024:2707 |