5.5
CVSSv3

CVE-2020-17521

CVSSv4: NA | CVSSv3: 5.5 | CVSSv2: 2.1 | VMScore: 650 | EPSS: 0.00069 | KEV: Not Included
Published: 07/12/2020 Updated: 21/11/2024

Vulnerability Summary

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache groovy

apache groovy 4.0.0

netapp snapcenter -

oracle agile engineering data management 6.2.1.0

oracle agile plm 9.3.3

oracle agile plm 9.3.6

oracle agile plm mcad connector 3.4

oracle agile plm mcad connector 3.6

oracle business process management suite 12.2.1.3.0

oracle business process management suite 12.2.1.4.0

oracle communications brm - elastic charging engine 11.3.0.9.0

oracle communications brm - elastic charging engine 12.0.0.3

oracle communications diameter signaling router 8.4.0.0

oracle communications evolved communications application server 7.1

oracle communications services gatekeeper 6.0

oracle communications services gatekeeper 6.1

oracle communications services gatekeeper 7.0

oracle healthcare data repository 7.0.2

oracle hospitality opera 5 5.6

oracle ilearning 6.2

oracle ilearning 6.3

oracle insurance policy administration

oracle jd edwards enterpriseone orchestrator 9.2.6.0

oracle primavera gateway

oracle primavera unifier

oracle primavera unifier 16.1

oracle primavera unifier 16.2

oracle primavera unifier 18.8

oracle primavera unifier 19.12

oracle primavera unifier 20.12

oracle retail bulk data integration 15.0.3.0

oracle retail bulk data integration 16.0.3.0

oracle retail merchandising system 16.0.3

oracle retail store inventory management 14.1.3.10

oracle retail store inventory management 15.0.3.5

oracle retail store inventory management 16.0.3.5

apache atlas 2.1.0

Vendor Advisories

Debian Bug report logs - #977399 groovy: CVE-2020-17521 Package: src:groovy; Maintainer for src:groovy is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 14 Dec 2020 18:42:02 UTC Severity: important Tags: security, upstream Foun ...
Groovy before version 2514 may create temporary directories within the OS temporary directory which is shared between all users on affected systems Groovy will create such directories for internal use when producing Java Stubs or on behalf of user code via two extension methods for creating temporary directories If Groovy user code uses either ...

Mailing Lists

CVE-2020-17521 Apache Groovy Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Unsupported Codehaus versions of Groovy from 20 to 244 Apache Groovy versions 244 to 2420, 250 to 2513, 300 to 306, and 400-alpha-1 Fixed in versions 2421, 2514, 307, 400-alpha-2 Impact: ...

References

NVD-CWE-Otherhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977399https://nvd.nist.govhttps://www.first.org/epsshttps://groovy-lang.org/security.html#CVE-2020-17521https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08%40%3Cdev.atlas.apache.org%3Ehttps://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465%40%3Cnotifications.groovy.apache.org%3Ehttps://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3%40%3Cdev.atlas.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20201218-0006/https://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujan2021.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://groovy-lang.org/security.html#CVE-2020-17521https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08%40%3Cdev.atlas.apache.org%3Ehttps://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465%40%3Cnotifications.groovy.apache.org%3Ehttps://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3%40%3Cdev.atlas.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20201218-0006/https://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujan2021.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.html