CVE-2023-2976 is a security vulnerability identified in Google Guava, a widely used Java library, specifically in the FileBackedOutputStream class versions 1.0 through 31.1. The vulnerability stems from the creation of temporary files using Java's default temporary directory on Unix-based systems and Android Ice Cream Sandwich. These temporary files are created with insecure permissions, meaning that other users or applications on the same machine with access to the default Java temporary directory can read these files. This exposure can lead to unauthorized disclosure of sensitive information stored temporarily during application execution. The flaw does not affect the integrity or availability of the files, only confidentiality. Exploitation requires local access with low privileges (AV:L) and no user interaction (UI:N), making it a local privilege information disclosure risk. The vulnerability was addressed in Guava version 32.0.0; however, due to some functionality issues on Windows in that release, version 32.0.1 is recommended. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 5.5, indicating medium severity, with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This means the attack requires local access, low complexity, low privileges, no user interaction, and impacts confidentiality with no effect on integrity or availability. The vulnerability is particularly relevant for applications running on shared Unix systems or Android environments where multiple users or apps have access to the temporary directory.

For European organizations, the primary impact of CVE-2023-2976 is the potential unauthorized disclosure of sensitive data through temporary files created by applications using vulnerable Guava versions. This risk is heightened in multi-tenant environments, shared Unix servers, or Android devices where multiple users or applications have access to the same temporary directory. Confidentiality breaches could lead to exposure of sensitive business information, intellectual property, or personal data, potentially violating GDPR and other data protection regulations. While the vulnerability does not affect data integrity or system availability, the loss of confidentiality can damage organizational reputation and lead to regulatory penalties. Organizations relying on Guava in backend services, middleware, or Android apps should assess their exposure, especially if these systems handle sensitive or regulated data. The requirement for local access limits remote exploitation, but insider threats or compromised accounts could leverage this vulnerability. Given the widespread use of Guava in Java applications across Europe, the vulnerability poses a moderate risk that should be addressed promptly to prevent data leakage.

European organizations should immediately upgrade all instances of Google Guava to version 32.0.1, which contains the fix for this vulnerability and resolves Windows compatibility issues found in 32.0.0. For environments where immediate upgrade is not feasible, organizations should restrict access to the Java temporary directory to trusted users and processes only, minimizing the risk of unauthorized file access. Implementing strict filesystem permissions and using isolated temporary directories per application or user can reduce exposure. Additionally, developers should audit their use of FileBackedOutputStream and consider alternative secure temporary file handling mechanisms that explicitly set restrictive permissions. Monitoring and logging access to temporary directories can help detect suspicious activity. For Android applications, ensure that the app sandboxing and file storage permissions are correctly configured to prevent other apps from accessing temporary files. Finally, incorporate this vulnerability into vulnerability management and patching workflows to ensure timely updates across all affected systems.