Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-fnpa-1sqy-u7hw
Vulnerability ID VCID-fnpa-1sqy-u7hw
Aliases CVE-2023-2976
GHSA-7g45-4rm6-3mm3
Summary Guava vulnerable to insecure use of temporary directory Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-379 Creation of Temporary File in Directory with Insecure Permissions
CWE-552 Files or Directories Accessible to External Parties
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 4.4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-2976.json
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2023-2976
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2023-2976
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2023-2976
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2023-2976
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2023-2976
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2023-2976
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2023-2976
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2023-2976
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2023-2976
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2023-2976
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2023-2976
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2023-2976
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2023-2976
epss 0.00065 https://api.first.org/data/v1/epss?cve=CVE-2023-2976
cvssv3.1 5.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-7g45-4rm6-3mm3
cvssv3.1 5.5 https://github.com/google/guava
generic_textual MODERATE https://github.com/google/guava
cvssv3.1 5.5 https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284
generic_textual MODERATE https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284
cvssv3.1 5.5 https://github.com/google/guava/issues/2575
generic_textual MODERATE https://github.com/google/guava/issues/2575
ssvc Track https://github.com/google/guava/issues/2575
cvssv3.1 5.5 https://github.com/google/guava/issues/6532
generic_textual MODERATE https://github.com/google/guava/issues/6532
cvssv3.1 5.5 https://github.com/google/guava/releases/tag/v32.0.0
generic_textual MODERATE https://github.com/google/guava/releases/tag/v32.0.0
cvssv3.1 5.5 https://nvd.nist.gov/vuln/detail/CVE-2023-2976
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-2976
cvssv3.1 5.5 https://security.netapp.com/advisory/ntap-20230818-0008
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20230818-0008
cvssv3.1 5.5 https://security.netapp.com/advisory/ntap-20230818-0008/
ssvc Track https://security.netapp.com/advisory/ntap-20230818-0008/
cvssv3.1 5.5 https://security.netapp.com/advisory/ntap-20241108-0002
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20241108-0002
cvssv3.1 5.5 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html
generic_textual MODERATE https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html
ssvc Track https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-2976.json
https://api.first.org/data/v1/epss?cve=CVE-2023-2976
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2976
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/google/guava
https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284
https://github.com/google/guava/issues/2575
https://github.com/google/guava/issues/6532
https://github.com/google/guava/releases/tag/v32.0.0
https://security.netapp.com/advisory/ntap-20230818-0008
https://security.netapp.com/advisory/ntap-20241108-0002
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html
1038979 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038979
2215229 https://bugzilla.redhat.com/show_bug.cgi?id=2215229
CVE-2023-2976 https://nvd.nist.gov/vuln/detail/CVE-2023-2976
GHSA-7g45-4rm6-3mm3 https://github.com/advisories/GHSA-7g45-4rm6-3mm3
ntap-20230818-0008 https://security.netapp.com/advisory/ntap-20230818-0008/
RHSA-2023:5165 https://access.redhat.com/errata/RHSA-2023:5165
RHSA-2023:5491 https://access.redhat.com/errata/RHSA-2023:5491
RHSA-2023:7678 https://access.redhat.com/errata/RHSA-2023:7678
RHSA-2024:0777 https://access.redhat.com/errata/RHSA-2024:0777
RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778
RHSA-2024:1027 https://access.redhat.com/errata/RHSA-2024:1027
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-2976.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/google/guava
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/google/guava/issues/2575
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-18T04:00:21Z/ Found at https://github.com/google/guava/issues/2575
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/google/guava/issues/6532
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/google/guava/releases/tag/v32.0.0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-2976
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://security.netapp.com/advisory/ntap-20230818-0008
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://security.netapp.com/advisory/ntap-20230818-0008/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-18T04:00:21Z/ Found at https://security.netapp.com/advisory/ntap-20230818-0008/
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://security.netapp.com/advisory/ntap-20241108-0002
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-18T04:00:21Z/ Found at https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html
Exploit Prediction Scoring System (EPSS)
Percentile 0.20326
EPSS Score 0.00065
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:51:24.584766+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/com.google.guava/guava/CVE-2023-2976.yml 38.0.0