Apache Groovy Information Disclosure
Issue date: 08-12-2020Affects versions: 14.3, 13.4, 12.6
Security Issue ID
SECURITY-203
Affected Product Version(s)
13.4.6, 12.6.13, 14.3.3 (and previous patch releases)
Severity
low
Description
This vulnerability potentially impacts Unix-like systems, and very old versions of Mac OSX and Windows. On such OS versions, Groovy may create temporary directories within the OS temporary directory which is shared between all users on affected systems. Groovy will create such directories for internal use when producing Java Stubs (very low impact) or on behalf of user code via two extension methods for creating temporary directories. This scenario could occur in brXM via custom groovy scripts used by adminstrators.
Groovy has been updated to use a version that is not vulnerable in all maintained brXM releases.
See CVE-2020-17521.
Instructions
Customers are recommended to upgrade to the latest maintenance or minor releases as indicated above. This can be done by simply incrementing the version number of the parent POM for the implementation project.