Apache Groovy Information Disclosure 

Issue date: 08-12-2020
Affects versions: 14.3, 13.4, 12.6

Security Issue ID

SECURITY-203

 

Affected Product Version(s)

13.4.6, 12.6.13, 14.3.3 (and previous patch releases)


Severity 

low


Description

This vulnerability potentially impacts Unix-like systems, and very old versions of Mac OSX and Windows. On such OS versions, Groovy may create temporary directories within the OS temporary directory which is shared between all users on affected systems. Groovy will create such directories for internal use when producing Java Stubs (very low impact) or on behalf of user code via two extension methods for creating temporary directories. This scenario could occur in brXM via custom groovy scripts used by adminstrators.

Groovy has been updated to use a version that is not vulnerable in all maintained brXM releases.

See CVE-2020-17521.

Instructions

Customers are recommended to upgrade to the latest maintenance or minor releases as indicated above. This can be done by simply incrementing the version number of the parent POM for the implementation project.