{"id":"CVE-2020-8908","details":"A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.","aliases":["GHSA-5mg8-w23w-74h3"],"modified":"2026-04-16T04:32:34.506129038Z","published":"2020-12-10T23:15:13.973Z","related":["CGA-w93v-xw63-rv54","SNYK-JAVA-COMGOOGLEGUAVA-1015415","SUSE-SU-2023:3090-1","SUSE-SU-2024:1138-1","openSUSE-SU-2024:10835-1"],"references":[{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21%40%3Ccommon-issues.hadoop.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac%40%3Ccommon-issues.hadoop.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44%40%3Cissues.geode.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97%40%3Cissues.geode.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc%40%3Cissues.geode.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6%40%3Ccommits.cxf.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c%40%3Cissues.hive.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf%40%3Ccommits.cxf.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f%40%3Cdev.hive.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54%40%3Cdev.drill.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e%40%3Ccommits.ws.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a%40%3Cdev.drill.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3%40%3Cyarn-issues.hadoop.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3%40%3Ctorque-dev.db.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85%40%3Cissues.geode.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14%40%3Cdev.drill.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6%40%3Cyarn-issues.hadoop.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4%40%3Cdev.drill.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199%40%3Cyarn-issues.hadoop.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a%40%3Ctorque-dev.db.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604%40%3Ctorque-dev.db.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625%40%3Cissues.geode.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27%40%3Cyarn-dev.hadoop.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222%40%3Ccommits.ws.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf%40%3Cdev.pig.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09%40%3Cyarn-issues.hadoop.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322%40%3Cgitbox.hive.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5%40%3Cissues.hive.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27%40%3Cyarn-issues.hadoop.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e%40%3Cyarn-dev.hadoop.apache.org%3E"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220210-0003/"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"FIX","url":"https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415"},{"type":"FIX","url":"https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40"},{"type":"FIX","url":"https://github.com/google/guava/issues/4011"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/google/guava","events":[{"introduced":"0"},{"fixed":"6b1f97ced922d48f071153ad9e631d06383033a4"},{"introduced":"2537d1ed4795f8fad737a7bf6d6f93fbdfa28e54"},{"last_affected":"daa84b68f31898f67a51207e193ee2ddabb088bf"},{"fixed":"fec0dbc4634006a6162cfd4d0d09c962073ddf40"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"32.0.0"},{"introduced":"16.0"},{"last_affected":"19.0"}]}},{"type":"GIT","repo":"https://github.com/quarkusio/quarkus","events":[{"introduced":"0"},{"fixed":"60a549cadba9f9e10583b4348b5102e8b4087aa7"},{"introduced":"0"},{"last_affected":"02fdbdd85c8bd0476783d74705a90afac16178d1"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.11.4"},{"introduced":"0"},{"last_affected":"1.2.1"}]}}],"versions":["1.2.1.Final","failureaccess-v1.0.1","jdk5-backport-branch-point","released-all-futures","v19.0","v19.0-rc1","v19.0-rc2","v19.0-rc3","v2.0","v7.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"11.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"fixed":"20.3"}]},{"events":[{"introduced":"0"},{"last_affected":"8.57"}]},{"events":[{"introduced":"0"},{"last_affected":"8.58"}]},{"events":[{"introduced":"0"},{"last_affected":"8.59"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.1.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.14.0"}]},{"events":[{"introduced":"17.7"},{"last_affected":"17.12"}]},{"events":[{"introduced":"0"},{"last_affected":"18.8"}]},{"events":[{"introduced":"0"},{"last_affected":"19.12"}]},{"events":[{"introduced":"0"},{"last_affected":"20.12"}]},{"events":[{"introduced":"0"},{"last_affected":"21.12"}]}],"vanir_signatures":[{"signature_type":"Line","id":"CVE-2020-8908-198203f0","digest":{"line_hashes":["244004072759715381362783025308972603407","191696127954200063996670176044108409736","178977789205042937699363365843067219663","57691104357535497419766474869340073891"],"threshold":0.9},"target":{"file":"guava/src/com/google/common/io/Files.java"},"source":"https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40","deprecated":false,"signature_version":"v1"},{"source":"https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40","id":"CVE-2020-8908-d54d1950","digest":{"line_hashes":["244004072759715381362783025308972603407","191696127954200063996670176044108409736","178977789205042937699363365843067219663","57691104357535497419766474869340073891"],"threshold":0.9},"target":{"file":"android/guava/src/com/google/common/io/Files.java"},"signature_version":"v1","signature_type":"Line","deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8908.json","vanir_signatures_modified":"2026-04-11T17:01:37Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}]}