CVE-2020-17521
groovy: OS temporary directory leads to information disclosure
Severity Score
5.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.
Apache Groovy provee métodos de extensión para ayudar a crear directorios temporales. Antes de esta corrección, la implementación de Groovy de esos métodos de extensión utilizaba una llamada al método JDK de Java ahora reemplazada que potencialmente no es segura en algunos sistemas operativos en algunos contextos. Los usuarios que no usen los métodos de extensión mencionados en el aviso no están afectados, pero es posible que deseen leer el aviso para obtener más detalles. Versiones afectadas: 2.0 hasta 2.4.20, 2.5.0 hasta 2.5.13, 3.0.0 hasta 3.0.6 y 4.0.0-alpha-1. Corregido en las versiones 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2
A flaw was found in Apache Groovy. Groovy makes use of a method for creating temporary directories which is not suitable for security-sensitive contexts and allows for sensitive information leakage. The highest threat from this vulnerability is to data confidentiality.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-08-12 CVE Reserved
- 2020-12-07 CVE Published
- 2023-11-08 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (14)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com//security-alerts/cpujul2021.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuApr2021.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpujan2021.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpujan2022.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpujul2022.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuoct2021.html | 2023-11-07 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2020-17521 | 2021-12-14 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1922123 | 2021-12-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Groovy Search vendor "Apache" for product "Groovy" | >= 2.0.0 <= 2.4.20 Search vendor "Apache" for product "Groovy" and version " >= 2.0.0 <= 2.4.20" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Groovy Search vendor "Apache" for product "Groovy" | >= 2.5.0 <= 2.5.13 Search vendor "Apache" for product "Groovy" and version " >= 2.5.0 <= 2.5.13" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Groovy Search vendor "Apache" for product "Groovy" | >= 3.0.0 <= 3.0.6 Search vendor "Apache" for product "Groovy" and version " >= 3.0.0 <= 3.0.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Groovy Search vendor "Apache" for product "Groovy" | 4.0.0 Search vendor "Apache" for product "Groovy" and version "4.0.0" | alpha1 |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snapcenter Search vendor "Netapp" for product "Snapcenter" | - | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Agile Engineering Data Management Search vendor "Oracle" for product "Agile Engineering Data Management" | 6.2.1.0 Search vendor "Oracle" for product "Agile Engineering Data Management" and version "6.2.1.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Agile Plm Search vendor "Oracle" for product "Agile Plm" | 9.3.3 Search vendor "Oracle" for product "Agile Plm" and version "9.3.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Agile Plm Search vendor "Oracle" for product "Agile Plm" | 9.3.6 Search vendor "Oracle" for product "Agile Plm" and version "9.3.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Agile Plm Mcad Connector Search vendor "Oracle" for product "Agile Plm Mcad Connector" | 3.4 Search vendor "Oracle" for product "Agile Plm Mcad Connector" and version "3.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Agile Plm Mcad Connector Search vendor "Oracle" for product "Agile Plm Mcad Connector" | 3.6 Search vendor "Oracle" for product "Agile Plm Mcad Connector" and version "3.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite" | 12.2.1.3.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Business Process Management Suite Search vendor "Oracle" for product "Business Process Management Suite" | 12.2.1.4.0 Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Brm - Elastic Charging Engine Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" | 11.3.0.9.0 Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version "11.3.0.9.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Brm - Elastic Charging Engine Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" | 12.0.0.3 Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version "12.0.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Diameter Signaling Router Search vendor "Oracle" for product "Communications Diameter Signaling Router" | 8.4.0.0 Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version "8.4.0.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Evolved Communications Application Server Search vendor "Oracle" for product "Communications Evolved Communications Application Server" | 7.1 Search vendor "Oracle" for product "Communications Evolved Communications Application Server" and version "7.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Services Gatekeeper Search vendor "Oracle" for product "Communications Services Gatekeeper" | 6.0 Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "6.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Services Gatekeeper Search vendor "Oracle" for product "Communications Services Gatekeeper" | 6.1 Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "6.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Services Gatekeeper Search vendor "Oracle" for product "Communications Services Gatekeeper" | 7.0 Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Healthcare Data Repository Search vendor "Oracle" for product "Healthcare Data Repository" | 7.0.2 Search vendor "Oracle" for product "Healthcare Data Repository" and version "7.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Hospitality Opera 5 Search vendor "Oracle" for product "Hospitality Opera 5" | 5.6 Search vendor "Oracle" for product "Hospitality Opera 5" and version "5.6" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Ilearning Search vendor "Oracle" for product "Ilearning" | 6.2 Search vendor "Oracle" for product "Ilearning" and version "6.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Ilearning Search vendor "Oracle" for product "Ilearning" | 6.3 Search vendor "Oracle" for product "Ilearning" and version "6.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Insurance Policy Administration Search vendor "Oracle" for product "Insurance Policy Administration" | >= 11.0 <= 11.3.1 Search vendor "Oracle" for product "Insurance Policy Administration" and version " >= 11.0 <= 11.3.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jd Edwards Enterpriseone Orchestrator Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator" | 9.2.6.0 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator" and version "9.2.6.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway" | >= 17.12.0 <= 17.12.10 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.12.0 <= 17.12.10" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | >= 17.7 <= 17.12 Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.7 <= 17.12" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 16.1 Search vendor "Oracle" for product "Primavera Unifier" and version "16.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 16.2 Search vendor "Oracle" for product "Primavera Unifier" and version "16.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 19.12 Search vendor "Oracle" for product "Primavera Unifier" and version "19.12" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier" | 20.12 Search vendor "Oracle" for product "Primavera Unifier" and version "20.12" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Bulk Data Integration Search vendor "Oracle" for product "Retail Bulk Data Integration" | 15.0.3.0 Search vendor "Oracle" for product "Retail Bulk Data Integration" and version "15.0.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Bulk Data Integration Search vendor "Oracle" for product "Retail Bulk Data Integration" | 16.0.3.0 Search vendor "Oracle" for product "Retail Bulk Data Integration" and version "16.0.3.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System" | 16.0.3 Search vendor "Oracle" for product "Retail Merchandising System" and version "16.0.3" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Store Inventory Management Search vendor "Oracle" for product "Retail Store Inventory Management" | 14.1.3.10 Search vendor "Oracle" for product "Retail Store Inventory Management" and version "14.1.3.10" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Store Inventory Management Search vendor "Oracle" for product "Retail Store Inventory Management" | 15.0.3.5 Search vendor "Oracle" for product "Retail Store Inventory Management" and version "15.0.3.5" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Retail Store Inventory Management Search vendor "Oracle" for product "Retail Store Inventory Management" | 16.0.3.5 Search vendor "Oracle" for product "Retail Store Inventory Management" and version "16.0.3.5" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Atlas Search vendor "Apache" for product "Atlas" | 2.1.0 Search vendor "Apache" for product "Atlas" and version "2.1.0" | - |
Affected
| ||||||