Google Guava 30.1-jre Library Exposes Projects to Two Medium-Severity Vulnerabilities [Main Branch]

A security scan has flagged the widely used Google Guava library, version 30.1-jre, as containing two vulnerabilities with a highest severity score of 5.5 (Medium). The findings are specifically tied to the project's main branch and are marked as 'reachable,' indicating the vulnerable code paths are accessible and exploitable within the application's runtime context. This elevates the risk from a theoretical advisory to a tangible security exposure for any project depending on this specific artifact.

The primary vulnerability is identified as CVE-2023-2976, a direct dependency flaw within the `guava-30.1-jre.jar` file. While the Exploit Prediction Scoring System (EPSS) indicates a current exploit likelihood of less than 1%, the confirmed reachability means the attack surface is present. The library is a foundational suite of core Java utilities from Google, used by countless projects for collections, I/O, and other common functions, making this a pervasive supply chain risk. A fixed version is available in Guava 32.0.1 (both -jre and -android variants).

The persistence of this older, vulnerable version in a project's main development branch signals a potential gap in dependency management or patch application processes. For development teams, this creates immediate pressure to audit their dependency trees, prioritize the upgrade to the patched version, and reassess their software composition analysis (SCA) and CI/CD security gates. The 'reachable' classification transforms this from a mere compliance checklist item into an active security liability that requires remediation to prevent potential exploitation.