By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2020-8908

Incorrectly Configured Access Control
Affects
Google Guava
in
Google Guava
No items found.
Versions
<32.0.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Guava is a widely used set of core Java libraries developed by Google that provides utilities for collections, caching, concurrency, hashing, I/O operations, and more. One common API in Guava is com.google.common.io.Files.createTempDir(), which creates a temporary directory for use by applications.

A security vulnerability (CVE-2020-8908) has been identified in Guava affecting versions where the createTempDir() method lacks secure permission handling. Because the temporary directory is created with default, world-readable permissions on many Unix-like systems, an attacker with access to the machine could potentially read sensitive files placed there. Systems that create temporary directories using this vulnerable API without additional permission restrictions are exposed.

Per OWASP: Incorrect Permission Assignment for Critical Resource occurs when a resource is given a permission setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution, or sensitive user data.

This issue affects multiple versions of Google Guava guava.

Details

Module Info

Vulnerability Info

This low-severity vulnerability exists in the Guava library’s temporary directory creation API. The createTempDir() method constructs a directory in the default temporary file area without explicitly setting restrictive file system permissions. On Unix-like operating systems, directories created in this way inherit standard world-readable permissions, allowing any local user with access to the system to list or read files placed within.

When an application uses this method to store sensitive data in temporary directories, an attacker with local system access could view that data due to the insecure permissions. The vulnerable behavior affects all Guava versions prior to the fix.

Steps To Reproduce

  1. Use a Java application that depends on a Guava version before the fix and calls com.google.common.io.Files.createTempDir() to create temporary directories.
  2. On a Unix-like system, run the application under a user account that writes sensitive files to the created temporary directory.
  3. From another local user account on the same machine, attempt to list or read the contents of the temporary directory created by the application.
  4. In affected versions, the directory and its contents will be accessible due to the world-readable default permissions. 

Proof Of Concept

On a vulnerable setup, an attacker with non-privileged access to the same host can locate a temporary directory created via Files.createTempDir() by the application. Because the directory inherits permissive filesystem modes, the attacker can use simple file listing or read commands (e.g., ls and cat) to inspect its contents, disclosing any sensitive files written there. This demonstrates how insecure default directory permissions can lead to information exposure when sensitive data is placed in Guava-created temporary locations. 

Mitigation

Only recent versions of Google Guava are community-supported. Only the recent community supported version will receive updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Google Guava.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

  • David P. Baker

Pink arrow
Pink arrow
CVE-2023-2976
CVE-2020-8908
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2020-8908
PROJECT Affected
Google Guava
Versions Affected
<32.0.0
NES Versions Affected
Published date
January 5, 2026
≈ Fix date
August 27, 2020
Fixed in
NES for Google Guava
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Low
Category
Incorrectly Configured Access Control
Sign up for the latest vulnerability alerts fixed in
NES for Google Guava
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.