Security Bulletin: Google Guava component is vulnerable to CVE-2023-2976 is used by IBM Jazz Reporting Services.

Summary

IBM Jazz Reporting Service Application Suite uses Google Guava package which is vulnerable to CVE-2023-2976.

Vulnerability Details

CVEID:CVE-2020-8908
**DESCRIPTION:**Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192996 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

CVEID: CVE-2023-2976 Description: Google Guava could allow a local authenticated attacker to obtain sensitive information, caused by a flaw with using Java's default temporary directory for file creation in FileBackedOutputStream. By sending a specially crafted request, an attacker could exploit this vulnerability to access the files in the default Java temporary directory, and use this information to launch further attacks against the affected system.
CVSS Base Score: 5.5
Affected Versions: Various versions of Guava were affected, and the issue was addressed in Guava version 32.0.0 and later. **Resolution: **Released a iFix version for Jazz Reporting Service 7.0.2 iFix022: To ensure users could protect themselves from this vulnerability, the Guava 32.0.0 has been released in this ifix.

Workarounds and Mitigations

None