## Guava 31.1-jre Library Exposes Workflow Bot App to Two Medium-Severity Vulnerabilities A critical dependency scan has flagged the widely-used Google Guava library, version 31.1-jre, as containing two vulnerabilities within a workflow bot application's build. The most severe of these, CVE-2023-2976, carries a CVSS score of 5.5 and is classified as a medium-severity, directly reachable flaw. This finding indicates the vulnerable code path is actively exposed within the application's runtime, moving the issue from a theoretical risk to a tangible security exposure that could be exploited. The vulnerable library, `guava-31.1-jre.jar`, is a direct dependency specified in the `/workflow-bot-app/build.gradle` file. Guava provides a suite of core Java utilities used by countless applications for collections, I/O, and other foundational operations. The specific jar file was pulled from a standard Gradle cache location, confirming its integration into the build and deployment pipeline. While exploit maturity is currently 'Not Defined' and the EPSS score is below 1%, the confirmed 'reachable' status elevates its priority, signaling that the vulnerable functions are accessible to potential attackers. This exposure places the security of the dependent workflow bot application under immediate scrutiny. The availability of a remediation path—upgrading to Guava versions 32.0.1-jre or 32.0.1-android—creates a clear but urgent action item for development and security teams. Failure to patch introduces a persistent medium-risk vector into the application's operational environment, potentially compromising its integrity or functionality. The incident underscores the critical need for continuous dependency monitoring in DevOps pipelines to catch and remediate such reachable vulnerabilities before they are leveraged in an attack. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: vulnerability, dependency, CVE-2023-2976, DevSecOps, software supply chain - **Credibility**: unverified - **Published**: 2026-04-18 16:22:31 - **ID**: 70697 - **URL**: https://whisperx.ai/en/intel/70697