Vulnerability Description
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Groovy | >= 2.0.0, <= 2.4.20 |
| Netapp | Snapcenter | - |
| Oracle | Agile Engineering Data Management | 6.2.1.0 |
| Oracle | Agile Plm | 9.3.3 |
| Oracle | Agile Plm Mcad Connector | 3.4 |
| Oracle | Business Process Management Suite | 12.2.1.3.0 |
| Oracle | Communications Brm - Elastic Charging Engine | 11.3.0.9.0 |
| Oracle | Communications Diameter Signaling Router | 8.4.0.0 |
| Oracle | Communications Evolved Communications Application Server | 7.1 |
| Oracle | Communications Services Gatekeeper | 6.0 |
| Oracle | Healthcare Data Repository | 7.0.2 |
| Oracle | Hospitality Opera 5 | 5.6 |
| Oracle | Ilearning | 6.2 |
| Oracle | Insurance Policy Administration | >= 11.0, <= 11.3.1 |
| Oracle | Jd Edwards Enterpriseone Orchestrator | 9.2.6.0 |
| Oracle | Primavera Gateway | >= 17.12.0, <= 17.12.10 |
| Oracle | Primavera Unifier | >= 17.7, <= 17.12 |
| Oracle | Retail Bulk Data Integration | 15.0.3.0 |
| Oracle | Retail Merchandising System | 16.0.3 |
| Oracle | Retail Store Inventory Management | 14.1.3.10 |
References
- https://groovy-lang.org/security.html#CVE-2020-17521Third Party Advisory
- https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038
- https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad
- https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f3
- https://security.netapp.com/advisory/ntap-20201218-0006/Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- https://groovy-lang.org/security.html#CVE-2020-17521Third Party Advisory
- https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038
- https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad
FAQ
What is CVE-2020-17521?
CVE-2020-17521 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method ca...
How severe is CVE-2020-17521?
CVE-2020-17521 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-17521?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Groovy, Netapp Snapcenter, Oracle Agile Engineering Data Management, Oracle Agile Plm, Oracle Agile Plm Mcad Connector.