CVE-2023-2976 (Guava vulnerability)

[brfrn169]

Question

In our Java project, we use the Guava library (com.google.guava:guava:32.0.0-jre). When we ran the Trivy vulnerability scanner, we got the following result:

Java (jar)
==========
Total: 1 (HIGH: 1, CRITICAL: 0)

┌────────────────────────────────────────────────┬───────────────┬──────────┬───────────────────┬────────────────┬───────────────────────────────────────────┐
│                    Library                     │ Vulnerability │ Severity │ Installed Version │ Fixed Version  │                   Title                   │
├────────────────────────────────────────────────┼───────────────┼──────────┼───────────────────┼────────────────┼───────────────────────────────────────────┤
│ com.google.guava:guava (graphql-java-20.4.jar) │ CVE-2023-2976 │ HIGH     │ 32.0.0-jre        │ 32.0.1-android │ insecure temporary directory creation     │
│                                                │               │          │                   │                │ https://avd.aquasec.com/nvd/cve-2023-2976 │
└────────────────────────────────────────────────┴───────────────┴──────────┴───────────────────┴────────────────┴───────────────────────────────────────────┘

However, upon reviewing the CVE-2023-2976 vulnerability, it appears that it is not the 32.0.1 version that resolves the CVE, but rather 32.0.0, according to the document:

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Therefore, I believe that the Trivy vulnerability scanner should not report this vulnerability. What are your thoughts?

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Operating System

No response

Version

No response

[DmitriyLewen]

Hello @brfrn169
Thanks for your report!

GitLab advisory database uses 32.0.1-android as fixed version.
I created #236 about this case.

Regards, Dmitriy

[DmitriyLewen]

#236 has been merged.

You will see changes after updating GitLab Advisories Community -> vuln-list -> Trivy-db

[brfrn169]

@DmitriyLewen Thank you for handling this!

[DmitriyLewen]

GitLab advisory database updated CVE-2023-2976

[dimay7]

Hello,
Should trivy suggest 32.0.0-jre or 32.0.0-android? I get the latter.

[DmitriyLewen]

Can you update Trivy? Looks like you db doesn't contain GitLab changes.

Result on my PC:

➜ trivy -d rootfs ./guava-31.1-jre.jar 
...

Java (jar)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────────────────────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────┐
│                   Library                   │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                   Title                   │
├─────────────────────────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────┤
│ com.google.guava:guava (guava-31.1-jre.jar) │ CVE-2023-2976 │ HIGH     │ 31.1-jre          │ 32.0.0        │ insecure temporary directory creation     │
│                                             │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-2976 │
└─────────────────────────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────┘

[dimay7]

Thanks. i'll try that