Arch Linux Security Advisory ASA-202103-14

Severity: High
Date    : 2021-03-25
CVE-ID  : CVE-2020-17521
Package : groovy
Type    : privilege escalation
Remote  : No
Link    :


The package groovy before version 2.5.14-1 is vulnerable to privilege


Upgrade to 2.5.14-1.

# pacman -Syu "groovy>=2.5.14-1"

The problem has been fixed upstream in version 2.5.14.




Groovy before version 2.5.14 may create temporary directories within
the OS temporary directory which is shared between all users on
affected systems. Groovy will create such directories for internal use
when producing Java Stubs or on behalf of user code via two extension
methods for creating temporary directories. If Groovy user code uses
either of these extension methods, and stores executable code in the
resulting temporary directory, this can lead to local privilege
escalation. If such Groovy code is making use of the temporary
directory to store sensitive information, such information could be
exposed or modified.


A local attacker is able to obtain and modify sensitive information in
Groovy temporary directories leading to privilege escalation if
executable code is stored.