CVE-2023-2976 - Files or Directories Accessible to External Parties
Severity: Low2023-07-20
Abstract
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
The Oxygen products incorporate Google Guava as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
| Product | Severity | Fixed Release Availability |
| Oxygen XML Author v25.1 and older | Low | Oxygen XML Author 25.1 build 2023070306 |
| Oxygen XML Developer v25.1 and older | Low | Oxygen XML Developer 25.1 build 2023070306 |
| Oxygen XML Editor v25.1 and older | Low | Oxygen XML Editor 25.1 build 2023070306 |
| Oxygen XML Web Author v25.1.0.1 and older | None | Oxygen XML Web Author 26.0.0 build 2023101015 |
| Oxygen Content Fusion v5.1 and older | Low | Oxygen Content Fusion 5.1.1 build 2023072112 |
| Oxygen Feedback v3.0.1 and older | None | N/A |
| Oxygen Publishing Engine v25.1 and older | None | Oxygen Publishing Engine 25.1 build 2023063023 |
Detail
CVE-2023-2976
Severity: High
CVSS Score: 7.5
The Google Guava third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-2976 vulnerability description. However, since Oxygen XML products do not employ the FileBackedOutputStream class, we classify this vulnerability as low.
Starting with Oxygen XML v25.1 build 2023070306 Google Guava library was updated to v2.29 which fixes this vulnerability.
