CVE-2020-17521

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

CVSS v3 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://groovy-lang.org/security.html#CVE-2020-17521	Third Party Advisory
https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08%40%3Cdev.atlas.apache.org%3E
https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465%40%3Cnotifications.groovy.apache.org%3E
https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3%40%3Cdev.atlas.apache.org%3E
https://security.netapp.com/advisory/ntap-20201218-0006/	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory
https://groovy-lang.org/security.html#CVE-2020-17521	Third Party Advisory
https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08%40%3Cdev.atlas.apache.org%3E
https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465%40%3Cnotifications.groovy.apache.org%3E
https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3%40%3Cdev.atlas.apache.org%3E
https://security.netapp.com/advisory/ntap-20201218-0006/	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:groovy::::::::
	cpe:2.3:a:apache:groovy::::::::
	cpe:2.3:a:apache:groovy::::::::
	cpe:2.3:a:apache:groovy:4.0.0:alpha1::::::

Configuration 2 (hide)

cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*

Configuration 3 (hide)

OR	cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.3:::::::*
	cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
	cpe:2.3:a:oracle:agile_plm_mcad_connector:3.4:::::::*
	cpe:2.3:a:oracle:agile_plm_mcad_connector:3.6:::::::*
	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3.0.9.0:::::::*
	cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:::::::*
	cpe:2.3:a:oracle:communications_diameter_signaling_router:8.4.0.0:::::::*
	cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:::::::*
	cpe:2.3:a:oracle:communications_services_gatekeeper:6.0:::::::*
	cpe:2.3:a:oracle:communications_services_gatekeeper:6.1:::::::*
	cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:::::::*
	cpe:2.3:a:oracle:healthcare_data_repository:7.0.2:::::::*
	cpe:2.3:a:oracle:hospitality_opera_5:5.6:::::::*
	cpe:2.3:a:oracle:ilearning:6.2:::::::*
	cpe:2.3:a:oracle:ilearning:6.3:::::::*
	cpe:2.3:a:oracle:insurance_policy_administration::::::::
	cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2.6.0:::::::*
	cpe:2.3:a:oracle:primavera_gateway::::::::
	cpe:2.3:a:oracle:primavera_unifier::::::::
	cpe:2.3:a:oracle:primavera_unifier:16.1:::::::*
	cpe:2.3:a:oracle:primavera_unifier:16.2:::::::*
	cpe:2.3:a:oracle:primavera_unifier:18.8:::::::*
	cpe:2.3:a:oracle:primavera_unifier:19.12:::::::*
	cpe:2.3:a:oracle:primavera_unifier:20.12:::::::*
	cpe:2.3:a:oracle:retail_bulk_data_integration:15.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:::::::*
	cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:::::::*
	cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3.10:::::::*
	cpe:2.3:a:oracle:retail_store_inventory_management:15.0.3.5:::::::*
	cpe:2.3:a:oracle:retail_store_inventory_management:16.0.3.5:::::::*

Configuration 4 (hide)

cpe:2.3:a:apache:atlas:2.1.0:-:*:*:*:*:*:*

History

21 Nov 2024, 05:08

Type	Values Removed	Values Added
References	~~() https://groovy-lang.org/security.html#CVE-2020-17521 - Third Party Advisory~~	() https://groovy-lang.org/security.html#CVE-2020-17521 - Third Party Advisory
References	~~() https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08%40%3Cdev.atlas.apache.org%3E -~~	() https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08%40%3Cdev.atlas.apache.org%3E -
References	~~() https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465%40%3Cnotifications.groovy.apache.org%3E -~~	() https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465%40%3Cnotifications.groovy.apache.org%3E -
References	~~() https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3%40%3Cdev.atlas.apache.org%3E -~~	() https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3%40%3Cdev.atlas.apache.org%3E -
References	~~() https://security.netapp.com/advisory/ntap-20201218-0006/ - Third Party Advisory~~	() https://security.netapp.com/advisory/ntap-20201218-0006/ - Third Party Advisory
References	~~() https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory~~	() https://www.oracle.com//security-alerts/cpujul2021.html - Patch, Third Party Advisory
References	~~() https://www.oracle.com/security-alerts/cpuApr2021.html - Patch, Third Party Advisory~~	() https://www.oracle.com/security-alerts/cpuApr2021.html - Patch, Third Party Advisory
References	~~() https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory~~	() https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
References	~~() https://www.oracle.com/security-alerts/cpujan2021.html - Patch, Third Party Advisory~~	() https://www.oracle.com/security-alerts/cpujan2021.html - Patch, Third Party Advisory
References	~~() https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory~~	() https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory
References	~~() https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory~~	() https://www.oracle.com/security-alerts/cpujul2022.html - Patch, Third Party Advisory
References	~~() https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory~~	() https://www.oracle.com/security-alerts/cpuoct2021.html - Patch, Third Party Advisory

07 Nov 2023, 03:19

Type	Values Removed	Values Added
References	{'url': 'https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08@%3Cdev.atlas.apache.org%3E', 'name': '[atlas-dev] 20210422 [jira] [Updated] (ATLAS-4257) Atlas - Upgrade groovy to 2.4.21+, 2.5.14+, 3.0.7+, or 4.0.0-alpha-2+ due to CVE-2020-17521', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3@%3Cdev.atlas.apache.org%3E', 'name': '[atlas-dev] 20210422 [jira] [Created] (ATLAS-4257) Atlas - Upgrade groovy to 2.4.21+, 2.5.14+, 3.0.7+, or 4.0.0-alpha-2+ due to CVE-2020-17521', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465@%3Cnotifications.groovy.apache.org%3E', 'name': '[groovy-notifications] 20201207 [jira] [Closed] (GROOVY-9824) CVE-2020-17521 Apache Groovy Information Disclosure', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}	() https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08%40%3Cdev.atlas.apache.org%3E - () https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3%40%3Cdev.atlas.apache.org%3E - () https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465%40%3Cnotifications.groovy.apache.org%3E -

Information

Published : 2020-12-07 20:15

Updated : 2024-11-21 05:08

NVD link : CVE-2020-17521

Mitre link : CVE-2020-17521

CVE.ORG link : CVE-2020-17521

JSON object : View

Products Affected

oracle

communications_services_gatekeeper
healthcare_data_repository
agile_engineering_data_management
jd_edwards_enterpriseone_orchestrator
primavera_gateway
insurance_policy_administration
agile_plm_mcad_connector
primavera_unifier
hospitality_opera_5
agile_plm
retail_bulk_data_integration
retail_store_inventory_management
communications_evolved_communications_application_server
communications_brm_-_elastic_charging_engine
ilearning
business_process_management_suite
communications_diameter_signaling_router
retail_merchandising_system

apache

atlas
groovy

netapp

snapcenter

CWE

NVD-CWE-Other

5.5 /10

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1 /10

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2020-17521

5.5^/10

2.1^/10

Attach tags to `CVE-2020-17521`