Guava Google Guava

Do you want an email whenever new security vulnerabilities are reported in Google Guava?

By the Year

In 2024 there have been 0 vulnerabilities in Google Guava . Last year Guava had 1 security vulnerability published. Right now, Guava is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 1 7.10
2022 0 0.00
2021 0 0.00
2020 1 3.30
2019 0 0.00
2018 1 5.90

It may take a day or so for new Guava vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Google Guava Security Vulnerabilities

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich

CVE-2023-2976 7.1 - High - June 14, 2023

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Files or Directories Accessible to External Parties

A temp directory creation vulnerability exists in all versions of Guava

CVE-2020-8908 3.3 - Low - December 10, 2020

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Incorrect Permission Assignment for Critical Resource

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers

CVE-2018-10237 5.9 - Medium - April 26, 2018

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Allocation of Resources Without Limits or Throttling

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Virtualization Host or by Google? Click the Watch button to subscribe.

Google
Vendor

Google Guava
Product

subscribe