[
https://issues.apache.org/jira/browse/QPID-8485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alex Rudyy resolved QPID-8485.
------------------------------
Resolution: Fixed
> Upgrade guava version to latest
> -------------------------------
>
> Key: QPID-8485
> URL: https://issues.apache.org/jira/browse/QPID-8485
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Reporter: Dedeepya
> Priority: Minor
> Fix For: qpid-java-broker-8.0.3
>
>
> Security vulnerabilities are reported with the guava version below 28.2-jre.
> This package are vulnerable to Information Disclosure. The file permissions
> on the file created by com.google.common.io.Files.createTempDir allows an
> attacker running a malicious program co-resident on the same machine can
> steal secrets stored in this directory. This is because by default on
> unix-like operating systems the /temp directory is shared between all users,
> so if the correct file permissions aren't set by the directory/file creator,
> the file becomes readable by all other users on that system.
> [https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415]
> The Qpid Broker does not utilize the impacted functionality. Thus, it is not
> vulnerable to the reported issue. Though, we need to upgrade the guava
> version in order to stop from being flagged by scanning tools
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
