CVE-2020-17521 log

Severity High
Remote No
Type Privilege escalation
Groovy before version 2.5.14 may create temporary directories within the OS temporary directory which is shared between all users on affected systems. Groovy will create such directories for internal use when producing Java Stubs or on behalf of user code via two extension methods for creating temporary directories. If Groovy user code uses either of these extension methods, and stores executable code in the resulting temporary directory, this can lead to local privilege escalation. If such Groovy code is making use of the temporary directory to store sensitive information, such information could be exposed or modified.
Group Package Affected Fixed Severity Status Ticket
AVG-1325 groovy 2.5.13-1 2.5.14-1 High Fixed FS#68865
Date Advisory Group Package Severity Type
25 Mar 2021 ASA-202103-14 AVG-1325 groovy High privilege escalation

Setting the system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all Groovy versions.

Users who cannot easily move to the fixed Groovy versions may wish to consider using the JDK’s Files#createTempDirectory method instead of the Groovy extension methods.