[ASA-202103-14] groovy: privilege escalation
Arch Linux Security Advisory ASA-202103-14 ========================================== Severity: High Date : 2021-03-25 CVE-ID : CVE-2020-17521 Package : groovy Type : privilege escalation Remote : No Link : https://security.archlinux.org/AVG-1325 Summary ======= The package groovy before version 2.5.14-1 is vulnerable to privilege escalation. Resolution ========== Upgrade to 2.5.14-1. # pacman -Syu "groovy>=2.5.14-1" The problem has been fixed upstream in version 2.5.14. Workaround ========== None. Description =========== Groovy before version 2.5.14 may create temporary directories within the OS temporary directory which is shared between all users on affected systems. Groovy will create such directories for internal use when producing Java Stubs or on behalf of user code via two extension methods for creating temporary directories. If Groovy user code uses either of these extension methods, and stores executable code in the resulting temporary directory, this can lead to local privilege escalation. If such Groovy code is making use of the temporary directory to store sensitive information, such information could be exposed or modified. Impact ====== A local attacker is able to obtain and modify sensitive information in Groovy temporary directories leading to privilege escalation if executable code is stored. References ========== https://bugs.archlinux.org/task/68865 https://issues.apache.org/jira/browse/GROOVY-9824 https://github.com/apache/groovy/commit/98dc5d713926cd81b006c510a1546ccd520f... https://security.archlinux.org/CVE-2020-17521
participants (1)
-
Morten Linderud