Apache Groovy Information Disclosure 

Issue date: 08-12-2020
Affects versions: 14.3, 13.4, 12.6

Security Issue ID



Affected Product Version(s)

13.4.6, 12.6.13, 14.3.3 (and previous patch releases)




This vulnerability potentially impacts Unix-like systems, and very old versions of Mac OSX and Windows. On such OS versions, Groovy may create temporary directories within the OS temporary directory which is shared between all users on affected systems. Groovy will create such directories for internal use when producing Java Stubs (very low impact) or on behalf of user code via two extension methods for creating temporary directories. This scenario could occur in brXM via custom groovy scripts used by adminstrators.

Groovy has been updated to use a version that is not vulnerable in all maintained brXM releases.

See CVE-2020-17521.


Customers are recommended to upgrade to the latest maintenance or minor releases as indicated above. This can be done by simply incrementing the version number of the parent POM for the implementation project.