CVE-2020-17521: Infoleak
First published: Thu Nov 19 2020(Updated: )
A flaw was found in Apache Groovy. Groovy makes use of a method for creating temporary directories which is not suitable for security-sensitive contexts and allows for sensitive information leakage. The highest threat from this vulnerability is to data confidentiality.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/groovy | <2.4.21 | 2.4.21 |
| redhat/groovy | <2.5.14 | 2.5.14 |
| redhat/groovy | <3.0.7 | 3.0.7 |
| redhat/groovy 4.0.0-alpha | <2 | 2 |
| maven/org.codehaus.groovy:groovy-all | >=3.0.0<3.0.7 | 3.0.7 |
| maven/org.codehaus.groovy:groovy-all | >=2.5.0<2.5.14 | 2.5.14 |
| maven/org.codehaus.groovy:groovy-all | >=2.0.0<2.4.21 | 2.4.21 |
| maven/org.codehaus.groovy:groovy | >=3.0.0<3.0.7 | 3.0.7 |
| maven/org.codehaus.groovy:groovy | >=2.5.0<2.5.14 | 2.5.14 |
| maven/org.codehaus.groovy:groovy | >=2.0.0<2.4.21 | 2.4.21 |
| Apache Groovy | >=2.0.0<=2.4.20 | |
| Apache Groovy | >=2.5.0<=2.5.13 | |
| Apache Groovy | >=3.0.0<=3.0.6 | |
| Apache Groovy | =4.0.0-alpha1 | |
| Netapp Snapcenter | ||
| Oracle Agile Engineering Data Management | =6.2.1.0 | |
| Oracle Agile PLM | =9.3.3 | |
| Oracle Agile PLM | =9.3.6 | |
| Oracle Agile Plm Mcad Connector | =3.4 | |
| Oracle Agile Plm Mcad Connector | =3.6 | |
| Oracle Business Process Management Suite | =12.2.1.3.0 | |
| Oracle Business Process Management Suite | =12.2.1.4.0 | |
| Oracle Communications Brm - Elastic Charging Engine | =11.3.0.9.0 | |
| Oracle Communications Brm - Elastic Charging Engine | =12.0.0.3 | |
| Oracle Communications Diameter Signaling Router | =8.4.0.0 | |
| Oracle Communications Evolved Communications Application Server | =7.1 | |
| Oracle Communications Services Gatekeeper | =6.0 | |
| Oracle Communications Services Gatekeeper | =6.1 | |
| Oracle Communications Services Gatekeeper | =7.0 | |
| Oracle Healthcare Data Repository | =7.0.2 | |
| Oracle Hospitality OPERA 5 | =5.6 | |
| Oracle iLearning | =6.2 | |
| Oracle iLearning | =6.3 | |
| Oracle Insurance Policy Administration | >=11.0<=11.3.1 | |
| Oracle Jd Edwards Enterpriseone Orchestrator | =9.2.6.0 | |
| Oracle Primavera Gateway | >=17.12.0<=17.12.10 | |
| Oracle Primavera Unifier | >=17.7<=17.12 | |
| Oracle Primavera Unifier | =16.1 | |
| Oracle Primavera Unifier | =16.2 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Primavera Unifier | =20.12 | |
| Oracle Retail Bulk Data Integration | =15.0.3.0 | |
| Oracle Retail Bulk Data Integration | =16.0.3.0 | |
| Oracle Retail Merchandising System | =16.0.3 | |
| Oracle Retail Store Inventory Management | =14.1.3.10 | |
| Oracle Retail Store Inventory Management | =15.0.3.5 | |
| Oracle Retail Store Inventory Management | =16.0.3.5 | |
| Apache Atlas | =2.1.0 |
Remedy
Setting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems and all Groovy versions. Users who cannot easily move to the fixed Groovy versions may wish to consider using the JDK’s Files#createTempDirectory method instead of the Groovy extension methods.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-17521 https://nvd.nist.gov/vuln/detail/CVE-2020-17521 https://groovy-lang.org/security.html#CVE-2020-17521
- https://bugzilla.redhat.com/show_bug.cgi?id=1922123
- https://access.redhat.com/errata/RHSA-2021:3205
- https://access.redhat.com/errata/RHSA-2021:3207
- https://access.redhat.com/errata/RHSA-2021:5134
- https://access.redhat.com/security/cve/cve-2020-17521
- https://groovy-lang.org/security.html#CVE-2020-17521
- https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08@%3Cdev.atlas.apache.org%3E
- https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465@%3Cnotifications.groovy.apache.org%3E
- https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3@%3Cdev.atlas.apache.org%3E
- https://security.netapp.com/advisory/ntap-20201218-0006/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/apache/groovy/pull/1425/commits/ea814531fe7c9a813e6d0b04533015020ed6cab7
- https://issues.apache.org/jira/browse/GROOVY-9824
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/support/policy/updates/errata/
- https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465%40%3Cnotifications.groovy.apache.org%3E
- https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3%40%3Cdev.atlas.apache.org%3E
- https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08%40%3Cdev.atlas.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2020-17521
- https://github.com/apache/groovy/pull/1425
- https://github.com/apache/groovy/commit/bcbe5c4c76db83736166530647c024ac1e47ef28
- https://security.netapp.com/advisory/ntap-20201218-0006
- https://github.com/advisories/GHSA-rcjj-h6gh-jf3r (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-17521?
CVE-2020-17521 is a vulnerability found in Apache Groovy that allows an attacker to perform a directory traversal attack.
How severe is CVE-2020-17521?
CVE-2020-17521 has a severity rating of 5.5 (medium).
Who is affected by CVE-2020-17521?
The vulnerability affects users of Apache Groovy versions from 2.0.0 up to (but not including) 2.4.21, versions from 2.5.0 up to (but not including) 2.5.14, and versions from 3.0.0 up to (but not including) 3.0.7.
How can I fix CVE-2020-17521?
To fix CVE-2020-17521, users should update Apache Groovy to version 2.4.21, 2.5.14, or 3.0.7.
Where can I find more information about CVE-2020-17521?
More information about CVE-2020-17521 can be found on the Apache Groovy security page, as well as in the provided references.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/severity
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-17521
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-rcjj-h6gh-jf3r
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/event
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- collector/github-advisory
- package-manager/redhat
- package-manager/maven
- vendor/apache
- canonical/apache groovy
- version/apache groovy/2.0.0
- version/apache groovy/2.4.20
- version/apache groovy/2.5.0
- version/apache groovy/2.5.13
- version/apache groovy/3.0.0
- version/apache groovy/3.0.6
- version/apache groovy/4.0.0-alpha1
- vendor/netapp
- canonical/netapp snapcenter
- vendor/oracle
- canonical/oracle agile engineering data management
- version/oracle agile engineering data management/6.2.1.0
- canonical/oracle agile plm
- version/oracle agile plm/9.3.3
- version/oracle agile plm/9.3.6
- canonical/oracle agile plm mcad connector
- version/oracle agile plm mcad connector/3.4
- version/oracle agile plm mcad connector/3.6
- canonical/oracle business process management suite
- version/oracle business process management suite/12.2.1.3.0
- version/oracle business process management suite/12.2.1.4.0
- canonical/oracle communications brm - elastic charging engine
- version/oracle communications brm - elastic charging engine/11.3.0.9.0
- version/oracle communications brm - elastic charging engine/12.0.0.3
- canonical/oracle communications diameter signaling router
- version/oracle communications diameter signaling router/8.4.0.0
- canonical/oracle communications evolved communications application server
- version/oracle communications evolved communications application server/7.1
- canonical/oracle communications services gatekeeper
- version/oracle communications services gatekeeper/6.0
- version/oracle communications services gatekeeper/6.1
- version/oracle communications services gatekeeper/7.0
- canonical/oracle healthcare data repository
- version/oracle healthcare data repository/7.0.2
- canonical/oracle hospitality opera 5
- version/oracle hospitality opera 5/5.6
- canonical/oracle ilearning
- version/oracle ilearning/6.2
- version/oracle ilearning/6.3
- canonical/oracle insurance policy administration
- version/oracle insurance policy administration/11.0
- version/oracle insurance policy administration/11.3.1
- canonical/oracle jd edwards enterpriseone orchestrator
- version/oracle jd edwards enterpriseone orchestrator/9.2.6.0
- canonical/oracle primavera gateway
- version/oracle primavera gateway/17.12.0
- version/oracle primavera gateway/17.12.10
- canonical/oracle primavera unifier
- version/oracle primavera unifier/17.7
- version/oracle primavera unifier/17.12
- version/oracle primavera unifier/16.1
- version/oracle primavera unifier/16.2
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- version/oracle primavera unifier/20.12
- canonical/oracle retail bulk data integration
- version/oracle retail bulk data integration/15.0.3.0
- version/oracle retail bulk data integration/16.0.3.0
- canonical/oracle retail merchandising system
- version/oracle retail merchandising system/16.0.3
- canonical/oracle retail store inventory management
- version/oracle retail store inventory management/14.1.3.10
- version/oracle retail store inventory management/15.0.3.5
- version/oracle retail store inventory management/16.0.3.5
- canonical/apache atlas
- version/apache atlas/2.1.0