What is CVE-2023-2976?

CVE-2023-2976 is a vulnerability that allows other users and apps on Unix systems and Android Ice Cream Sandwich to access files created in Java's default temporary directory in FileBackedOutputStream in Google Guava versions 1.0 to 31.1.

What is the severity of CVE-2023-2976?

The severity of CVE-2023-2976 is high with a severity value of 7.1.

How does CVE-2023-2976 affect affected software?

CVE-2023-2976 affects Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich.

How can I fix CVE-2023-2976?

To fix CVE-2023-2976, it is recommended to upgrade to Google Guava version 32.0.0 or higher.

What are the references for CVE-2023-2976?

The references for CVE-2023-2976 are: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-2976), [GitHub Issue 2575](https://github.com/google/guava/issues/2575), [GitHub Issue 6532](https://github.com/google/guava/issues/6532).

Vulnerability/
CVE-2023-2976

high

7.1

CWE

552

14/6/2023

6/5/2024

CVE-2023-2976: Use of temporary directory for file creation in `FileBackedOutputStream` in Guava

First published: Wed Jun 14 2023(Updated: )

Google Guava could allow a local authenticated attacker to obtain sensitive information, caused by a flaw with using Java's default temporary directory for file creation in FileBackedOutputStream. By sending a specially crafted request, an attacker could exploit this vulnerability to access the files in the default Java temporary directory, and use this information to launch further attacks against the affected system.

Credit: cve-coordination@google.com cve-coordination@google.com cve-coordination@google.com

Affected Software	Affected Version	How to fix
Google Guava	<32.0.0
maven/com.google.guava:guava	>=1.0<32.0.0-android	32.0.0-android
redhat/guava	<32.0.0	32.0.0
IBM Secure Proxy	<=6.0.3
IBM Secure Proxy	<=6.1.0

Remedy

https://github.com/google/guava/issues/2575

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7142038

Frequently Asked Questions

What is CVE-2023-2976?
CVE-2023-2976 is a vulnerability that allows other users and apps on Unix systems and Android Ice Cream Sandwich to access files created in Java's default temporary directory in FileBackedOutputStream in Google Guava versions 1.0 to 31.1.
What is the severity of CVE-2023-2976?
The severity of CVE-2023-2976 is high with a severity value of 7.1.
How does CVE-2023-2976 affect affected software?
CVE-2023-2976 affects Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich.
How can I fix CVE-2023-2976?
To fix CVE-2023-2976, it is recommended to upgrade to Google Guava version 32.0.0 or higher.
What are the references for CVE-2023-2976?
The references for CVE-2023-2976 are: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-2976), [GitHub Issue 2575](https://github.com/google/guava/issues/2575), [GitHub Issue 6532](https://github.com/google/guava/issues/6532).

collector/nvd-index
agent/type
agent/weakness
agent/author
agent/remedy
agent/severity
agent/description
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
agent/software-canonical-lookup
collector/github-advisory-latest
source/GitHub
alias/GHSA-7g45-4rm6-3mm3
alias/CVE-2023-2976
collector/nvd-cve
agent/title
agent/event
agent/first-publish-date
collector/github-advisory
collector/ibm-support
source/IBM
agent/references
agent/softwarecombine
agent/tags
agent/last-modified-date
collector/redhat-bugzilla
source/Red Hat
vendor/google
canonical/google guava
package-manager/maven
vendor/ibm
canonical/ibm secure proxy
version/ibm secure proxy/6.0.3
version/ibm secure proxy/6.1.0
package-manager/redhat