Published: 07/12/2020 Updated: 07/11/2023

CVSS v2 Base Score: 2.1 | Impact Score: 2.9 | Exploitability Score: 3.9

CVSS v3 Base Score: 5.5 | Impact Score: 3.6 | Exploitability Score: 1.8

VMScore: 187

Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache groovy 4.0.0
apache groovy
netapp snapcenter -
oracle primavera unifier 16.2
oracle primavera unifier 16.1
oracle ilearning 6.2
oracle business process management suite 12.2.1.3.0
oracle primavera unifier 18.8
oracle primavera unifier
oracle agile plm 9.3.3
oracle agile plm 9.3.6
oracle primavera unifier 19.12
oracle retail bulk data integration 15.0.3.0
oracle retail bulk data integration 16.0.3.0
oracle communications services gatekeeper 7.0
oracle retail merchandising system 16.0.3
oracle communications evolved communications application server 7.1
oracle agile engineering data management 6.2.1.0
oracle primavera unifier 20.12
oracle business process management suite 12.2.1.4.0
oracle communications services gatekeeper 6.0
oracle communications services gatekeeper 6.1
oracle hospitality opera 5 5.6
oracle insurance policy administration
oracle communications brm - elastic charging engine 12.0.0.3
oracle retail store inventory management 15.0.3.5
oracle retail store inventory management 16.0.3.5
oracle retail store inventory management 14.1.3.10
oracle ilearning 6.3
oracle communications brm - elastic charging engine 11.3.0.9.0
oracle primavera gateway
oracle jd edwards enterpriseone orchestrator 9.2.6.0
oracle healthcare data repository 7.0.2
oracle agile plm mcad connector 3.4
oracle agile plm mcad connector 3.6
oracle communications diameter signaling router 8.4.0.0
apache atlas 2.1.0

Debian Bug report logs - #977399 groovy: CVE-2020-17521 Package: src:groovy; Maintainer for src:groovy is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 14 Dec 2020 18:42:02 UTC Severity: important Tags: security, upstream Foun ...

Groovy before version 2514 may create temporary directories within the OS temporary directory which is shared between all users on affected systems Groovy will create such directories for internal use when producing Java Stubs or on behalf of user code via two extension methods for creating temporary directories If Groovy user code uses either ...

NVD-CWE-Other https://groovy-lang.org/security.html#CVE-2020-17521 https://security.netapp.com/advisory/ntap-20201218-0006/https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuoct2021.html https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465%40%3Cnotifications.groovy.apache.org%3E https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3%40%3Cdev.atlas.apache.org%3E https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08%40%3Cdev.atlas.apache.org%3E https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977399 https://nvd.nist.gov https://security.archlinux.org/CVE-2020-17521

CVE-2020-17521

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect