Information Disclosure Vulnerability in Apache Groovy
CVE-2020-17521

5.5MEDIUM

Key Information:

Vendor
Apache
Status
Apache Groovy
Vendor
CVE Published:
7 December 2020

Summary

The Apache Groovy framework includes extension methods that facilitate the creation of temporary directories. Prior to the corrective updates, the underlying implementation of these methods utilized an obsolete Java JDK method that posed a potential security risk on certain operating systems under specific circumstances. Users who do not engage with the highlighted extension methods remain unaffected but are encouraged to review the advisory for comprehensive insights. Updated versions have addressed this vulnerability and are recommended for all users.

Affected Version(s)

Apache Groovy 2.0 to 2.4.20

Apache Groovy 2.5.0 to 2.5.13

Apache Groovy 3.0.0 to 3.0.6

References

https://groovy-lang.org/security.html#CVE-2020-17521
x_refsource_CONFIRM
https://lists.apache.org/thread.html/ra9dab34bf8625511f23...
mailing-listx_refsource_MLIST
https://www.oracle.com/security-alerts/cpujan2021.html
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.