[ASA-202103-14] groovy: privilege escalation

Morten Linderud foxboron at archlinux.org
Fri Mar 26 20:12:31 UTC 2021


Arch Linux Security Advisory ASA-202103-14
==========================================

Severity: High
Date    : 2021-03-25
CVE-ID  : CVE-2020-17521
Package : groovy
Type    : privilege escalation
Remote  : No
Link    : https://security.archlinux.org/AVG-1325

Summary
=======

The package groovy before version 2.5.14-1 is vulnerable to privilege
escalation.

Resolution
==========

Upgrade to 2.5.14-1.

# pacman -Syu "groovy>=2.5.14-1"

The problem has been fixed upstream in version 2.5.14.

Workaround
==========

None.

Description
===========

Groovy before version 2.5.14 may create temporary directories within
the OS temporary directory which is shared between all users on
affected systems. Groovy will create such directories for internal use
when producing Java Stubs or on behalf of user code via two extension
methods for creating temporary directories. If Groovy user code uses
either of these extension methods, and stores executable code in the
resulting temporary directory, this can lead to local privilege
escalation. If such Groovy code is making use of the temporary
directory to store sensitive information, such information could be
exposed or modified.

Impact
======

A local attacker is able to obtain and modify sensitive information in
Groovy temporary directories leading to privilege escalation if
executable code is stored.

References
==========

https://bugs.archlinux.org/task/68865
https://issues.apache.org/jira/browse/GROOVY-9824
https://github.com/apache/groovy/commit/98dc5d713926cd81b006c510a1546ccd520fe17f
https://security.archlinux.org/CVE-2020-17521
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210326/1615eeb7/attachment.sig>


More information about the arch-security mailing list