Vulnerability Details : CVE-2020-17521
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.
Exploit prediction scoring system (EPSS) score for CVE-2020-17521
Probability of exploitation activity in the next 30 days: 0.07%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 28 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-17521
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST |
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
References for CVE-2020-17521
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3@%3Cdev.atlas.apache.org%3E
[jira] [Created] (ATLAS-4257) Atlas - Upgrade groovy to 2.4.21+, 2.5.14+, 3.0.7+, or 4.0.0-alpha-2+ due to CVE-2020-17521 - Pony MailMailing List;Third Party Advisory
-
https://www.oracle.com//security-alerts/cpujul2021.html
Oracle Critical Patch Update Advisory - July 2021Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2022.html
Oracle Critical Patch Update Advisory - January 2022Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Patch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20201218-0006/
CVE-2020-17521 Apache Groovy Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuApr2021.html
Oracle Critical Patch Update Advisory - April 2021Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08@%3Cdev.atlas.apache.org%3E
[jira] [Updated] (ATLAS-4257) Atlas - Upgrade groovy to 2.4.21+, 2.5.14+, 3.0.7+, or 4.0.0-alpha-2+ due to CVE-2020-17521 - Pony MailMailing List;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465@%3Cnotifications.groovy.apache.org%3E
Mailing List;Vendor Advisory
-
https://groovy-lang.org/security.html#CVE-2020-17521
Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2022.html
Oracle Critical Patch Update Advisory - July 2022Patch;Third Party Advisory
Products affected by CVE-2020-17521
- cpe:2.3:a:apache:groovy:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:groovy:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:groovy:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:groovy:4.0.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:apache:atlas:2.1.0:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:ilearning:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:ilearning:6.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_store_inventory_management:15.0.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_store_inventory_management:16.0.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_bulk_data_integration:15.0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_diameter_signaling_router:8.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2.6.0:*:*:*:*:*:*:*
- Oracle » Insurance Policy AdministrationVersions from including (>=) 11.0 and up to, including, (<=) 11.3.1cpe:2.3:a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_services_gatekeeper:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_services_gatekeeper:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:healthcare_data_repository:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3.0.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm_mcad_connector:3.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm_mcad_connector:3.6:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*