CVE-2020-17521 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	No
Type	Privilege escalation
Description	Groovy before version 2.5.14 may create temporary directories within the OS temporary directory which is shared between all users on affected systems. Groovy will create such directories for internal use when producing Java Stubs or on behalf of user code via two extension methods for creating temporary directories. If Groovy user code uses either of these extension methods, and stores executable code in the resulting temporary directory, this can lead to local privilege escalation. If such Groovy code is making use of the temporary directory to store sensitive information, such information could be exposed or modified.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1325	groovy	2.5.13-1	2.5.14-1	High	Fixed	FS#68865

Date	Advisory	Group	Package	Severity	Type
25 Mar 2021	ASA-202103-14	AVG-1325	groovy	High	privilege escalation

References
https://issues.apache.org/jira/browse/GROOVY-9824 https://github.com/apache/groovy/commit/98dc5d713926cd81b006c510a1546ccd520fe17f

Notes
Workaround ========== Setting the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all Groovy versions. Users who cannot easily move to the fixed Groovy versions may wish to consider using the JDK’s Files#createTempDirectory method instead of the Groovy extension methods.

Notes

Workaround
==========

Setting the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all Groovy versions.

Users who cannot easily move to the fixed Groovy versions may wish to consider using the JDK’s Files#createTempDirectory method instead of the Groovy extension methods.