// For flags

CVE-2020-17521

groovy: OS temporary directory leads to information disclosure

Severity Score

5.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Apache Groovy provee métodos de extensión para ayudar a crear directorios temporales. Antes de esta corrección, la implementación de Groovy de esos métodos de extensión utilizaba una llamada al método JDK de Java ahora reemplazada que potencialmente no es segura en algunos sistemas operativos en algunos contextos. Los usuarios que no usen los métodos de extensión mencionados en el aviso no están afectados, pero es posible que deseen leer el aviso para obtener más detalles. Versiones afectadas: 2.0 hasta 2.4.20, 2.5.0 hasta 2.5.13, 3.0.0 hasta 3.0.6 y 4.0.0-alpha-1. Corregido en las versiones 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2

A flaw was found in Apache Groovy. Groovy makes use of a method for creating temporary directories which is not suitable for security-sensitive contexts and allows for sensitive information leakage. The highest threat from this vulnerability is to data confidentiality.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-08-12 CVE Reserved
  • 2020-12-07 CVE Published
  • 2023-11-08 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Groovy
Search vendor "Apache" for product "Groovy"
>= 2.0.0 <= 2.4.20
Search vendor "Apache" for product "Groovy" and version " >= 2.0.0 <= 2.4.20"
-
Affected
Apache
Search vendor "Apache"
Groovy
Search vendor "Apache" for product "Groovy"
>= 2.5.0 <= 2.5.13
Search vendor "Apache" for product "Groovy" and version " >= 2.5.0 <= 2.5.13"
-
Affected
Apache
Search vendor "Apache"
Groovy
Search vendor "Apache" for product "Groovy"
>= 3.0.0 <= 3.0.6
Search vendor "Apache" for product "Groovy" and version " >= 3.0.0 <= 3.0.6"
-
Affected
Apache
Search vendor "Apache"
Groovy
Search vendor "Apache" for product "Groovy"
4.0.0
Search vendor "Apache" for product "Groovy" and version "4.0.0"
alpha1
Affected
Netapp
Search vendor "Netapp"
Snapcenter
Search vendor "Netapp" for product "Snapcenter"
--
Affected
Oracle
Search vendor "Oracle"
Agile Engineering Data Management
Search vendor "Oracle" for product "Agile Engineering Data Management"
6.2.1.0
Search vendor "Oracle" for product "Agile Engineering Data Management" and version "6.2.1.0"
-
Affected
Oracle
Search vendor "Oracle"
Agile Plm
Search vendor "Oracle" for product "Agile Plm"
9.3.3
Search vendor "Oracle" for product "Agile Plm" and version "9.3.3"
-
Affected
Oracle
Search vendor "Oracle"
Agile Plm
Search vendor "Oracle" for product "Agile Plm"
9.3.6
Search vendor "Oracle" for product "Agile Plm" and version "9.3.6"
-
Affected
Oracle
Search vendor "Oracle"
Agile Plm Mcad Connector
Search vendor "Oracle" for product "Agile Plm Mcad Connector"
3.4
Search vendor "Oracle" for product "Agile Plm Mcad Connector" and version "3.4"
-
Affected
Oracle
Search vendor "Oracle"
Agile Plm Mcad Connector
Search vendor "Oracle" for product "Agile Plm Mcad Connector"
3.6
Search vendor "Oracle" for product "Agile Plm Mcad Connector" and version "3.6"
-
Affected
Oracle
Search vendor "Oracle"
Business Process Management Suite
Search vendor "Oracle" for product "Business Process Management Suite"
12.2.1.3.0
Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Business Process Management Suite
Search vendor "Oracle" for product "Business Process Management Suite"
12.2.1.4.0
Search vendor "Oracle" for product "Business Process Management Suite" and version "12.2.1.4.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Brm - Elastic Charging Engine
Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine"
11.3.0.9.0
Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version "11.3.0.9.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Brm - Elastic Charging Engine
Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine"
12.0.0.3
Search vendor "Oracle" for product "Communications Brm - Elastic Charging Engine" and version "12.0.0.3"
-
Affected
Oracle
Search vendor "Oracle"
Communications Diameter Signaling Router
Search vendor "Oracle" for product "Communications Diameter Signaling Router"
8.4.0.0
Search vendor "Oracle" for product "Communications Diameter Signaling Router" and version "8.4.0.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Evolved Communications Application Server
Search vendor "Oracle" for product "Communications Evolved Communications Application Server"
7.1
Search vendor "Oracle" for product "Communications Evolved Communications Application Server" and version "7.1"
-
Affected
Oracle
Search vendor "Oracle"
Communications Services Gatekeeper
Search vendor "Oracle" for product "Communications Services Gatekeeper"
6.0
Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "6.0"
-
Affected
Oracle
Search vendor "Oracle"
Communications Services Gatekeeper
Search vendor "Oracle" for product "Communications Services Gatekeeper"
6.1
Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "6.1"
-
Affected
Oracle
Search vendor "Oracle"
Communications Services Gatekeeper
Search vendor "Oracle" for product "Communications Services Gatekeeper"
7.0
Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "7.0"
-
Affected
Oracle
Search vendor "Oracle"
Healthcare Data Repository
Search vendor "Oracle" for product "Healthcare Data Repository"
7.0.2
Search vendor "Oracle" for product "Healthcare Data Repository" and version "7.0.2"
-
Affected
Oracle
Search vendor "Oracle"
Hospitality Opera 5
Search vendor "Oracle" for product "Hospitality Opera 5"
5.6
Search vendor "Oracle" for product "Hospitality Opera 5" and version "5.6"
-
Affected
Oracle
Search vendor "Oracle"
Ilearning
Search vendor "Oracle" for product "Ilearning"
6.2
Search vendor "Oracle" for product "Ilearning" and version "6.2"
-
Affected
Oracle
Search vendor "Oracle"
Ilearning
Search vendor "Oracle" for product "Ilearning"
6.3
Search vendor "Oracle" for product "Ilearning" and version "6.3"
-
Affected
Oracle
Search vendor "Oracle"
Insurance Policy Administration
Search vendor "Oracle" for product "Insurance Policy Administration"
>= 11.0 <= 11.3.1
Search vendor "Oracle" for product "Insurance Policy Administration" and version " >= 11.0 <= 11.3.1"
-
Affected
Oracle
Search vendor "Oracle"
Jd Edwards Enterpriseone Orchestrator
Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator"
9.2.6.0
Search vendor "Oracle" for product "Jd Edwards Enterpriseone Orchestrator" and version "9.2.6.0"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Gateway
Search vendor "Oracle" for product "Primavera Gateway"
>= 17.12.0 <= 17.12.10
Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.12.0 <= 17.12.10"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
>= 17.7 <= 17.12
Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.7 <= 17.12"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
16.1
Search vendor "Oracle" for product "Primavera Unifier" and version "16.1"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
16.2
Search vendor "Oracle" for product "Primavera Unifier" and version "16.2"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
18.8
Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
19.12
Search vendor "Oracle" for product "Primavera Unifier" and version "19.12"
-
Affected
Oracle
Search vendor "Oracle"
Primavera Unifier
Search vendor "Oracle" for product "Primavera Unifier"
20.12
Search vendor "Oracle" for product "Primavera Unifier" and version "20.12"
-
Affected
Oracle
Search vendor "Oracle"
Retail Bulk Data Integration
Search vendor "Oracle" for product "Retail Bulk Data Integration"
15.0.3.0
Search vendor "Oracle" for product "Retail Bulk Data Integration" and version "15.0.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Retail Bulk Data Integration
Search vendor "Oracle" for product "Retail Bulk Data Integration"
16.0.3.0
Search vendor "Oracle" for product "Retail Bulk Data Integration" and version "16.0.3.0"
-
Affected
Oracle
Search vendor "Oracle"
Retail Merchandising System
Search vendor "Oracle" for product "Retail Merchandising System"
16.0.3
Search vendor "Oracle" for product "Retail Merchandising System" and version "16.0.3"
-
Affected
Oracle
Search vendor "Oracle"
Retail Store Inventory Management
Search vendor "Oracle" for product "Retail Store Inventory Management"
14.1.3.10
Search vendor "Oracle" for product "Retail Store Inventory Management" and version "14.1.3.10"
-
Affected
Oracle
Search vendor "Oracle"
Retail Store Inventory Management
Search vendor "Oracle" for product "Retail Store Inventory Management"
15.0.3.5
Search vendor "Oracle" for product "Retail Store Inventory Management" and version "15.0.3.5"
-
Affected
Oracle
Search vendor "Oracle"
Retail Store Inventory Management
Search vendor "Oracle" for product "Retail Store Inventory Management"
16.0.3.5
Search vendor "Oracle" for product "Retail Store Inventory Management" and version "16.0.3.5"
-
Affected
Apache
Search vendor "Apache"
Atlas
Search vendor "Apache" for product "Atlas"
2.1.0
Search vendor "Apache" for product "Atlas" and version "2.1.0"
-
Affected