CVE-2020-8908 in WebLogic Server
Summary
by MITRE • 12/11/2020
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/25/2026
The vulnerability identified as CVE-2020-8908 represents a critical security flaw in Google's Guava library that affects all versions prior to 30.0. This issue stems from the improper handling of temporary directory creation through the deprecated com.google.common.io.Files.createTempDir() method, which creates temporary directories with insecure default permissions on unix-like systems. The vulnerability falls under the category of insecure temporary file handling and can be classified as CWE-377, specifically addressing weak permissions on temporary files and directories. The flaw enables local privilege escalation attacks where an attacker with system access can potentially read sensitive data that was intended to be isolated within these temporary directories, creating a significant confidentiality risk.
The technical implementation of this vulnerability occurs when the Guava library's createTempDir() method generates temporary directories without explicitly setting restrictive permissions. On unix-like systems, the default permissions for these directories are typically world-readable, meaning any user on the system can access the contents of the temporary directory. This creates a persistent security risk as the temporary directory may contain sensitive information processed by applications using the Guava library. The vulnerability is particularly concerning because it operates at the filesystem level and does not require network access or complex exploitation techniques. The method's deprecation in version 30.0 indicates Google's recognition of the security implications, as the API was fundamentally flawed in its design approach to temporary file management.
The operational impact of this vulnerability extends across numerous applications that rely on Guava for temporary file operations, particularly in server environments where multiple users or processes may share the same system. Attackers can exploit this weakness by monitoring the temporary directory locations and accessing data that should remain private or protected. This vulnerability aligns with ATT&CK technique T1059.007, which covers the use of scripting languages for execution, as attackers may leverage the accessible temporary files to gain further system access or extract sensitive information. The risk is compounded in environments where applications process sensitive data, as the temporary directory may contain intermediate processing results, configuration files, or other confidential information that could be accessed by unauthorized users.
The recommended mitigation strategies focus on immediate migration away from the vulnerable Guava API to more secure alternatives. Android developers should utilize the context.getCacheDir() method which properly manages temporary directory permissions, while general Java developers should transition to the Java 7 standard library approach using java.nio.file.Files.createTempDirectory() which explicitly sets secure 700 permissions. Additionally, system administrators can configure the java.io.tmpdir system property to point to a directory with appropriately restricted permissions. This vulnerability demonstrates the importance of proper temporary file management and highlights how seemingly minor API design flaws can create significant security exposure points. The issue also underscores the need for regular library updates and the importance of heeding deprecation warnings, as the vulnerable API was marked deprecated in version 30.0, indicating that the security community had already identified the problematic behavior.