Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-0911
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Oracle Weblogic. Elles permettent à un attaquant de provoquer un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
Title | Publication Time | Tags | |||
---|---|---|---|---|---|
|
{ "$ref": "https://www.cert.ssi.gouv.fr/openapi.json", "affected_systems": [ { "description": "Oracle WebLogic Server version 14.1.2.0.0", "product": { "name": "Weblogic", "vendor": { "name": "Oracle", "scada": false } } }, { "description": "Oracle WebLogic Server version 12.2.1.4.0", "product": { "name": "Weblogic", "vendor": { "name": "Oracle", "scada": false } } }, { "description": "Oracle WebLogic Server version 14.1.1.0.0", "product": { "name": "Weblogic", "vendor": { "name": "Oracle", "scada": false } } } ], "affected_systems_content": null, "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).", "cves": [ { "name": "CVE-2020-15250", "url": "https://www.cve.org/CVERecord?id=CVE-2020-15250" }, { "name": "CVE-2025-61764", "url": "https://www.cve.org/CVERecord?id=CVE-2025-61764" }, { "name": "CVE-2025-61752", "url": "https://www.cve.org/CVERecord?id=CVE-2025-61752" }, { "name": "CVE-2025-48924", "url": "https://www.cve.org/CVERecord?id=CVE-2025-48924" } ], "initial_release_date": "2025-10-22T00:00:00", "last_revision_date": "2025-10-22T00:00:00", "links": [], "reference": "CERTFR-2025-AVI-0911", "revisions": [ { "description": "Version initiale", "revision_date": "2025-10-22T00:00:00.000000" } ], "risks": [ { "description": "D\u00e9ni de service \u00e0 distance" }, { "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es" } ], "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle Weblogic. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.", "title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Weblogic", "vendor_advisories": [ { "published_at": "2025-10-21", "title": "Bulletin de s\u00e9curit\u00e9 Oracle Weblogic cpuoct2025", "url": "https://www.oracle.com/security-alerts/cpuoct2025.html" } ] }
CVE-2025-61764 (GCVE-0-2025-61764)
Vulnerability from cvelistv5
Published
2025-10-21 20:03
Modified
2025-10-22 14:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebLogic Server accessible data.
Summary
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
References
URL | Tags | ||||
---|---|---|---|---|---|
|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Oracle Corporation | Oracle WebLogic Server |
Version: 12.2.1.4.0 ≤ Version: 14.1.1.0.0 ≤ Version: 14.1.2.0.0 ≤ |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-61764", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-10-22T14:36:48.066548Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-10-22T14:36:53.014Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "Oracle WebLogic Server", "vendor": "Oracle Corporation", "versions": [ { "status": "affected", "version": "12.2.1.4.0", "versionType": "semver" }, { "status": "affected", "version": "14.1.1.0.0", "versionType": "semver" }, { "status": "affected", "version": "14.1.2.0.0", "versionType": "semver" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.2.0.0:*:*:*:*:*:*:*", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en-US", "value": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle WebLogic Server accessible data.", "lang": "en-US" } ] } ], "providerMetadata": { "dateUpdated": "2025-10-21T20:03:14.012Z", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle" }, "references": [ { "name": "Oracle Advisory", "tags": [ "vendor-advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2025.html" } ] } }, "cveMetadata": { "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2025-61764", "datePublished": "2025-10-21T20:03:14.012Z", "dateReserved": "2025-09-30T19:21:55.557Z", "dateUpdated": "2025-10-22T14:36:53.014Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-48924 (GCVE-0-2025-48924)
Vulnerability from cvelistv5
Published
2025-07-11 14:56
Modified
2025-07-14 16:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-674 - Uncontrolled Recursion
Summary
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
References
URL | Tags | ||||
---|---|---|---|---|---|
|
Impacted products
Vendor | Product | Version | |||||||
---|---|---|---|---|---|---|---|---|---|
Apache Software Foundation | Apache Commons Lang |
Version: 2.0 |
|||||||
|
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2025-48924", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-07-14T16:36:59.432024Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-07-14T16:37:02.057Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unknown", "packageName": "commons-lang:commons-lang", "product": "Apache Commons Lang", "vendor": "Apache Software Foundation", "versions": [ { "lessThanOrEqual": "2.6", "status": "affected", "version": "2.0", "versionType": "maven" } ] }, { "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.commons:commons-lang3", "product": "Apache Commons Lang", "vendor": "Apache Software Foundation", "versions": [ { "lessThan": "3.18.0", "status": "affected", "version": "3.0", "versionType": "maven" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "OSS-Fuzz Issue 42522972" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eUncontrolled Recursion vulnerability in Apache Commons Lang.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Commons Lang: Starting with\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecommons-lang:commons-lang\u0026nbsp;\u003c/span\u003e2.0 to 2.6, and, from org.apache.\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecommons:commons-lang3 3.0 before\u0026nbsp;\u003c/span\u003e3.18.0.\u003c/p\u003e\u003cp\u003eThe methods ClassUtils.getClass(...) can throw\u0026nbsp;StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could\u0026nbsp;cause an application to stop.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u003c/p\u003e" } ], "value": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with\u00a0commons-lang:commons-lang\u00a02.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before\u00a03.18.0.\n\nThe methods ClassUtils.getClass(...) can throw\u00a0StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could\u00a0cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue." } ], "metrics": [ { "other": { "content": { "text": "low" }, "type": "Textual description of severity" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-674", "description": "CWE-674 Uncontrolled Recursion", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-11T14:56:58.049Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "vendor-advisory" ], "url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1" } ], "source": { "discovery": "UNKNOWN" }, "title": "Apache Commons Lang, Apache Commons Lang: ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2025-48924", "datePublished": "2025-07-11T14:56:58.049Z", "dateReserved": "2025-05-28T15:06:51.476Z", "dateUpdated": "2025-07-14T16:37:02.057Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-61752 (GCVE-0-2025-61752)
Vulnerability from cvelistv5
Published
2025-10-21 20:03
Modified
2025-10-22 18:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server.
Summary
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
References
URL | Tags | ||||
---|---|---|---|---|---|
|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Oracle Corporation | Oracle WebLogic Server |
Version: 14.1.1.0.0 ≤ Version: 14.1.2.0.0 ≤ |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-61752", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-10-22T18:34:30.782416Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-10-22T18:34:45.428Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "Oracle WebLogic Server", "vendor": "Oracle Corporation", "versions": [ { "status": "affected", "version": "14.1.1.0.0", "versionType": "semver" }, { "status": "affected", "version": "14.1.2.0.0", "versionType": "semver" } ] } ], "cpeApplicability": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.2.0.0:*:*:*:*:*:*:*", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en-US", "value": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server.", "lang": "en-US" } ] } ], "providerMetadata": { "dateUpdated": "2025-10-21T20:03:09.540Z", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle" }, "references": [ { "name": "Oracle Advisory", "tags": [ "vendor-advisory" ], "url": "https://www.oracle.com/security-alerts/cpuoct2025.html" } ] } }, "cveMetadata": { "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2025-61752", "datePublished": "2025-10-21T20:03:09.540Z", "dateReserved": "2025-09-30T19:21:55.555Z", "dateUpdated": "2025-10-22T18:34:45.428Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2020-15250 (GCVE-0-2020-15250)
Vulnerability from cvelistv5
Published
2020-10-12 17:55
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
junit-team | junit4 |
Version: < 4.13.1 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T13:08:23.218Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html" }, { "name": "[creadur-dev] 20201013 [jira] [Created] (RAT-277) Update junit in all Creadur projects in order to fix CVE-2020-15250 (Low severity)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5f8841507576f595bb783ccec6a7cb285ea90d4e6f5043eae0e61a41%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20201014 [jira] [Commented] (RAT-277) Update junit in all Creadur projects in order to fix CVE-2020-15250 (Low severity)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbaec90e699bc7c7bd9a053f76707a36fda48b6d558f31dc79147dbf9%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-commits] 20201014 [creadur-whisker] branch master updated: Update junit to fix CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r717877028482c55acf604d7a0106af4ca05da4208c708fb157b53672%40%3Ccommits.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20201014 [jira] [Assigned] (RAT-277) Update junit in all Creadur projects in order to fix CVE-2020-15250 (Low severity)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb2771949c676ca984e58a5cd5ca79c2634dee1945e0406e48e0f8457%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-commits] 20201014 [creadur-tentacles] branch master updated: Update junit to fix CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rde385b8b53ed046600ef68dd6b4528dea7566aaddb02c3e702cc28bc%40%3Ccommits.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20201014 [jira] [Updated] (RAT-277) Update junit in all Creadur projects in order to fix CVE-2020-15250 (Low severity)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc49cf1547ef6cac1be4b3c92339b2cae0acacf5acaba13cfa429a872%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20201014 [jira] [Closed] (RAT-277) Update junit in all Creadur projects in order to fix CVE-2020-15250 (Low severity)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r500517c23200fb2fdb0b82770a62dd6c88b3521cfb01cfd0c76e3f8b%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-commits] 20201014 [creadur-rat] 01/02: RAT-277: Update junit to fix CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r95f8ef60c4b3a5284b647bb3132cda08e6fadad888a66b84f49da0b0%40%3Ccommits.creadur.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/junit-team/junit4/issues/1676" }, { "name": "[debian-lts-announce] 20201101 [SECURITY] [DLA 2426-1] junit4 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00003.html" }, { "name": "[pdfbox-dev] 20201115 ossindex-maven-plugin and build issue", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra1bdb9efae84794e8ffa2f8474be8290ba57830eefe9714b95da714b%40%3Cdev.pdfbox.apache.org%3E" }, { "name": "[turbine-commits] 20210203 svn commit: r1886168 - in /turbine/core/trunk: ./ conf/ conf/test/ src/java/org/apache/turbine/services/urlmapper/ src/test/org/apache/turbine/services/urlmapper/ src/test/org/apache/turbine/services/urlmapper/model/ xdocs/howto/", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381%40%3Ccommits.turbine.apache.org%3E" }, { "name": "[pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/raebf13f53cd5d23d990712e3d11c80da9a7bae94a6284050f148ed99%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210413 [GitHub] [pulsar] lhotari removed a comment on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r01110833b63616ddbef59ae4e10c0fbd0060f0a51206defd4cb4d917%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210413 [GitHub] [pulsar] lhotari commented on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rde8e70b95c992378e8570e4df400c6008a9839eabdfb8f800a3e5af6%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210414 [GitHub] [pulsar] lhotari commented on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdef7d1380c86e7c0edf8a0f89a2a8db86fce5e363457d56b722691b4%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210414 [GitHub] [pulsar] lhotari removed a comment on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdbdd30510a7c4d0908fd22075c02b75bbc2e0d977ec22249ef3133cb%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210415 [GitHub] [pulsar] lhotari removed a comment on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rea812d8612fdc46842a2a57248cad4b01ddfdb1e9b037c49e68fdbfb%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210415 [GitHub] [pulsar] lhotari commented on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf797d119cc3f51a8d7c3c5cbe50cb4524c8487282b986edde83a9467%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210415 [GitHub] [pulsar] eolivelli merged pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/reb700e60b9642eafa4b7922bfee80796394135aa09c7a239ef9f7486%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210415 [pulsar] branch master updated: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak (#10147)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf2ec93f4ca9a97d1958eb4a31b1830f723419ce9bf2018a6e5741d5b%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[creadur-commits] 20210621 [creadur-rat] 02/13: RAT-277: Update junit to fix CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r30f502d2f79e8d635361adb8108dcbb73095163fcbd776ee7984a094%40%3Ccommits.creadur.apache.org%3E" }, { "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-790) Upgrade to JUnit 4.13.1 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r925eaae7dd8f77dd61eefc49c1fcf54bd9ecfe605486870d7b1e9390%40%3Cpluto-dev.portals.apache.org%3E" }, { "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-790 Upgrade to JUnit 4.13.1 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r29d703d1986d9b871466ff24082a1828ac8ad27bb0965a93a383872e%40%3Cpluto-scm.portals.apache.org%3E" }, { "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-790) Upgrade to JUnit 4.13.1 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r09cfbb5aedd76023691bbce9ca4ce2e16bb07dd37554a17efc19935d%40%3Cpluto-dev.portals.apache.org%3E" }, { "name": "[knox-dev] 20211004 [jira] [Created] (KNOX-2674) Upgrade junit to 4.13.2 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2b78f23bc2711a76a7fc73ad67b7fcd6817c5cfccefd6f30a4f54943%40%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211004 [GitHub] [knox] zeroflag opened a new pull request #505: KNOX-2674 - Upgrade junit to 4.13.2 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf6e5d894d4b03bef537c9d6641272e0197c047c0d1982b4e176d0353%40%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211004 [jira] [Work logged] (KNOX-2674) Upgrade junit to 4.13.2 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r687f489b10b0d14e46f626aa88476545e1a2600b24c4ebd3c0d2a10b%40%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211004 [GitHub] [knox] zeroflag commented on pull request #505: KNOX-2674 - Upgrade junit to 4.13.2 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r934208a520b38f5cf0cae199b6b076bfe7d081809528b0eff2459e40%40%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211008 [jira] [Commented] (KNOX-2674) Upgrade junit to 4.13.2 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r8b02dc6f18df11ff39eedb3038f1e31e6f90a779b1959bae65107279%40%3Cdev.knox.apache.org%3E" }, { "name": "[knox-commits] 20211008 [knox] branch master updated: KNOX-2674 - Upgrade junit to 4.13.2 due to CVE-2020-15250 (#505)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9710067c7096b83cb6ae8f53a2f6f94e9c042d1bf1d6929f8f2a2b7a%40%3Ccommits.knox.apache.org%3E" }, { "name": "[knox-dev] 20211008 [jira] [Resolved] (KNOX-2674) Upgrade junit to 4.13.2 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r1209986f79359b518d09513ff05a88e5b3c398540e775edea76a4774%40%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211008 [jira] [Work logged] (KNOX-2674) Upgrade junit to 4.13.2 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r742b44fd75215fc75963b8ecc22b2e4372e68d67d3d859d2b5e8743f%40%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211008 [GitHub] [knox] smolnar82 merged pull request #505: KNOX-2674 - Upgrade junit to 4.13.2 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb2ffe2993f4dccc48d832e1a0f1c419477781b6ea16e725ca2276dbb%40%3Cdev.knox.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "junit4", "vendor": "junit-team", "versions": [ { "status": "affected", "version": "\u003c 4.13.1" } ] } ], "descriptions": [ { "lang": "en", "value": "In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system\u0027s temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-19T23:21:38", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md" }, { "tags": [ "x_refsource_MISC" ], "url": "https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html" }, { "name": "[creadur-dev] 20201013 [jira] [Created] (RAT-277) Update junit in all Creadur projects in order to fix CVE-2020-15250 (Low severity)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5f8841507576f595bb783ccec6a7cb285ea90d4e6f5043eae0e61a41%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20201014 [jira] [Commented] (RAT-277) Update junit in all Creadur projects in order to fix CVE-2020-15250 (Low severity)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbaec90e699bc7c7bd9a053f76707a36fda48b6d558f31dc79147dbf9%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-commits] 20201014 [creadur-whisker] branch master updated: Update junit to fix CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r717877028482c55acf604d7a0106af4ca05da4208c708fb157b53672%40%3Ccommits.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20201014 [jira] [Assigned] (RAT-277) Update junit in all Creadur projects in order to fix CVE-2020-15250 (Low severity)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb2771949c676ca984e58a5cd5ca79c2634dee1945e0406e48e0f8457%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-commits] 20201014 [creadur-tentacles] branch master updated: Update junit to fix CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rde385b8b53ed046600ef68dd6b4528dea7566aaddb02c3e702cc28bc%40%3Ccommits.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20201014 [jira] [Updated] (RAT-277) Update junit in all Creadur projects in order to fix CVE-2020-15250 (Low severity)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc49cf1547ef6cac1be4b3c92339b2cae0acacf5acaba13cfa429a872%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20201014 [jira] [Closed] (RAT-277) Update junit in all Creadur projects in order to fix CVE-2020-15250 (Low severity)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r500517c23200fb2fdb0b82770a62dd6c88b3521cfb01cfd0c76e3f8b%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-commits] 20201014 [creadur-rat] 01/02: RAT-277: Update junit to fix CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r95f8ef60c4b3a5284b647bb3132cda08e6fadad888a66b84f49da0b0%40%3Ccommits.creadur.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/junit-team/junit4/issues/1676" }, { "name": "[debian-lts-announce] 20201101 [SECURITY] [DLA 2426-1] junit4 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00003.html" }, { "name": "[pdfbox-dev] 20201115 ossindex-maven-plugin and build issue", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra1bdb9efae84794e8ffa2f8474be8290ba57830eefe9714b95da714b%40%3Cdev.pdfbox.apache.org%3E" }, { "name": "[turbine-commits] 20210203 svn commit: r1886168 - in /turbine/core/trunk: ./ conf/ conf/test/ src/java/org/apache/turbine/services/urlmapper/ src/test/org/apache/turbine/services/urlmapper/ src/test/org/apache/turbine/services/urlmapper/model/ xdocs/howto/", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381%40%3Ccommits.turbine.apache.org%3E" }, { "name": "[pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/raebf13f53cd5d23d990712e3d11c80da9a7bae94a6284050f148ed99%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210413 [GitHub] [pulsar] lhotari removed a comment on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r01110833b63616ddbef59ae4e10c0fbd0060f0a51206defd4cb4d917%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210413 [GitHub] [pulsar] lhotari commented on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rde8e70b95c992378e8570e4df400c6008a9839eabdfb8f800a3e5af6%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210414 [GitHub] [pulsar] lhotari commented on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rdef7d1380c86e7c0edf8a0f89a2a8db86fce5e363457d56b722691b4%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210414 [GitHub] [pulsar] lhotari removed a comment on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rdbdd30510a7c4d0908fd22075c02b75bbc2e0d977ec22249ef3133cb%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210415 [GitHub] [pulsar] lhotari removed a comment on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rea812d8612fdc46842a2a57248cad4b01ddfdb1e9b037c49e68fdbfb%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210415 [GitHub] [pulsar] lhotari commented on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf797d119cc3f51a8d7c3c5cbe50cb4524c8487282b986edde83a9467%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210415 [GitHub] [pulsar] eolivelli merged pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/reb700e60b9642eafa4b7922bfee80796394135aa09c7a239ef9f7486%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210415 [pulsar] branch master updated: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak (#10147)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf2ec93f4ca9a97d1958eb4a31b1830f723419ce9bf2018a6e5741d5b%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[creadur-commits] 20210621 [creadur-rat] 02/13: RAT-277: Update junit to fix CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r30f502d2f79e8d635361adb8108dcbb73095163fcbd776ee7984a094%40%3Ccommits.creadur.apache.org%3E" }, { "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-790) Upgrade to JUnit 4.13.1 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r925eaae7dd8f77dd61eefc49c1fcf54bd9ecfe605486870d7b1e9390%40%3Cpluto-dev.portals.apache.org%3E" }, { "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-790 Upgrade to JUnit 4.13.1 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r29d703d1986d9b871466ff24082a1828ac8ad27bb0965a93a383872e%40%3Cpluto-scm.portals.apache.org%3E" }, { "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-790) Upgrade to JUnit 4.13.1 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r09cfbb5aedd76023691bbce9ca4ce2e16bb07dd37554a17efc19935d%40%3Cpluto-dev.portals.apache.org%3E" }, { "name": "[knox-dev] 20211004 [jira] [Created] (KNOX-2674) Upgrade junit to 4.13.2 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2b78f23bc2711a76a7fc73ad67b7fcd6817c5cfccefd6f30a4f54943%40%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211004 [GitHub] [knox] zeroflag opened a new pull request #505: KNOX-2674 - Upgrade junit to 4.13.2 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf6e5d894d4b03bef537c9d6641272e0197c047c0d1982b4e176d0353%40%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211004 [jira] [Work logged] (KNOX-2674) Upgrade junit to 4.13.2 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r687f489b10b0d14e46f626aa88476545e1a2600b24c4ebd3c0d2a10b%40%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211004 [GitHub] [knox] zeroflag commented on pull request #505: KNOX-2674 - Upgrade junit to 4.13.2 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r934208a520b38f5cf0cae199b6b076bfe7d081809528b0eff2459e40%40%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211008 [jira] [Commented] (KNOX-2674) Upgrade junit to 4.13.2 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r8b02dc6f18df11ff39eedb3038f1e31e6f90a779b1959bae65107279%40%3Cdev.knox.apache.org%3E" }, { "name": "[knox-commits] 20211008 [knox] branch master updated: KNOX-2674 - Upgrade junit to 4.13.2 due to CVE-2020-15250 (#505)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9710067c7096b83cb6ae8f53a2f6f94e9c042d1bf1d6929f8f2a2b7a%40%3Ccommits.knox.apache.org%3E" }, { "name": "[knox-dev] 20211008 [jira] [Resolved] (KNOX-2674) Upgrade junit to 4.13.2 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r1209986f79359b518d09513ff05a88e5b3c398540e775edea76a4774%40%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211008 [jira] [Work logged] (KNOX-2674) Upgrade junit to 4.13.2 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r742b44fd75215fc75963b8ecc22b2e4372e68d67d3d859d2b5e8743f%40%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211008 [GitHub] [knox] smolnar82 merged pull request #505: KNOX-2674 - Upgrade junit to 4.13.2 due to CVE-2020-15250", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb2ffe2993f4dccc48d832e1a0f1c419477781b6ea16e725ca2276dbb%40%3Cdev.knox.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "source": { "advisory": "GHSA-269g-pwp5-87pp", "discovery": "UNKNOWN" }, "title": "Information disclosure in JUnit4", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15250", "STATE": "PUBLIC", "TITLE": "Information disclosure in JUnit4" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "junit4", "version": { "version_data": [ { "version_value": "\u003c 4.13.1" } ] } } ] }, "vendor_name": "junit-team" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system\u0027s temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory." } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp", "refsource": "CONFIRM", "url": "https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp" }, { "name": "https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae", "refsource": "MISC", "url": "https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae" }, { "name": "https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md", "refsource": "MISC", "url": "https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md" }, { "name": "https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html", "refsource": "MISC", "url": "https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html" }, { "name": "[creadur-dev] 20201013 [jira] [Created] (RAT-277) Update junit in all Creadur projects in order to fix CVE-2020-15250 (Low severity)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5f8841507576f595bb783ccec6a7cb285ea90d4e6f5043eae0e61a41@%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20201014 [jira] [Commented] (RAT-277) Update junit in all Creadur projects in order to fix CVE-2020-15250 (Low severity)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbaec90e699bc7c7bd9a053f76707a36fda48b6d558f31dc79147dbf9@%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-commits] 20201014 [creadur-whisker] branch master updated: Update junit to fix CVE-2020-15250", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r717877028482c55acf604d7a0106af4ca05da4208c708fb157b53672@%3Ccommits.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20201014 [jira] [Assigned] (RAT-277) Update junit in all Creadur projects in order to fix CVE-2020-15250 (Low severity)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb2771949c676ca984e58a5cd5ca79c2634dee1945e0406e48e0f8457@%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-commits] 20201014 [creadur-tentacles] branch master updated: Update junit to fix CVE-2020-15250", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rde385b8b53ed046600ef68dd6b4528dea7566aaddb02c3e702cc28bc@%3Ccommits.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20201014 [jira] [Updated] (RAT-277) Update junit in all Creadur projects in order to fix CVE-2020-15250 (Low severity)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc49cf1547ef6cac1be4b3c92339b2cae0acacf5acaba13cfa429a872@%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20201014 [jira] [Closed] (RAT-277) Update junit in all Creadur projects in order to fix CVE-2020-15250 (Low severity)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r500517c23200fb2fdb0b82770a62dd6c88b3521cfb01cfd0c76e3f8b@%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-commits] 20201014 [creadur-rat] 01/02: RAT-277: Update junit to fix CVE-2020-15250", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r95f8ef60c4b3a5284b647bb3132cda08e6fadad888a66b84f49da0b0@%3Ccommits.creadur.apache.org%3E" }, { "name": "https://github.com/junit-team/junit4/issues/1676", "refsource": "MISC", "url": "https://github.com/junit-team/junit4/issues/1676" }, { "name": "[debian-lts-announce] 20201101 [SECURITY] [DLA 2426-1] junit4 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00003.html" }, { "name": "[pdfbox-dev] 20201115 ossindex-maven-plugin and build issue", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra1bdb9efae84794e8ffa2f8474be8290ba57830eefe9714b95da714b@%3Cdev.pdfbox.apache.org%3E" }, { "name": "[turbine-commits] 20210203 svn commit: r1886168 - in /turbine/core/trunk: ./ conf/ conf/test/ src/java/org/apache/turbine/services/urlmapper/ src/test/org/apache/turbine/services/urlmapper/ src/test/org/apache/turbine/services/urlmapper/model/ xdocs/howto/", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E" }, { "name": "[pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/raebf13f53cd5d23d990712e3d11c80da9a7bae94a6284050f148ed99@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210413 [GitHub] [pulsar] lhotari removed a comment on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r01110833b63616ddbef59ae4e10c0fbd0060f0a51206defd4cb4d917@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210413 [GitHub] [pulsar] lhotari commented on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rde8e70b95c992378e8570e4df400c6008a9839eabdfb8f800a3e5af6@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210414 [GitHub] [pulsar] lhotari commented on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdef7d1380c86e7c0edf8a0f89a2a8db86fce5e363457d56b722691b4@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210414 [GitHub] [pulsar] lhotari removed a comment on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdbdd30510a7c4d0908fd22075c02b75bbc2e0d977ec22249ef3133cb@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210415 [GitHub] [pulsar] lhotari removed a comment on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rea812d8612fdc46842a2a57248cad4b01ddfdb1e9b037c49e68fdbfb@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210415 [GitHub] [pulsar] lhotari commented on pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf797d119cc3f51a8d7c3c5cbe50cb4524c8487282b986edde83a9467@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210415 [GitHub] [pulsar] eolivelli merged pull request #10147: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/reb700e60b9642eafa4b7922bfee80796394135aa09c7a239ef9f7486@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210415 [pulsar] branch master updated: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak (#10147)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf2ec93f4ca9a97d1958eb4a31b1830f723419ce9bf2018a6e5741d5b@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[creadur-commits] 20210621 [creadur-rat] 02/13: RAT-277: Update junit to fix CVE-2020-15250", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r30f502d2f79e8d635361adb8108dcbb73095163fcbd776ee7984a094@%3Ccommits.creadur.apache.org%3E" }, { "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-790) Upgrade to JUnit 4.13.1 due to CVE-2020-15250", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r925eaae7dd8f77dd61eefc49c1fcf54bd9ecfe605486870d7b1e9390@%3Cpluto-dev.portals.apache.org%3E" }, { "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-790 Upgrade to JUnit 4.13.1 due to CVE-2020-15250", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r29d703d1986d9b871466ff24082a1828ac8ad27bb0965a93a383872e@%3Cpluto-scm.portals.apache.org%3E" }, { "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-790) Upgrade to JUnit 4.13.1 due to CVE-2020-15250", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r09cfbb5aedd76023691bbce9ca4ce2e16bb07dd37554a17efc19935d@%3Cpluto-dev.portals.apache.org%3E" }, { "name": "[knox-dev] 20211004 [jira] [Created] (KNOX-2674) Upgrade junit to 4.13.2 due to CVE-2020-15250", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2b78f23bc2711a76a7fc73ad67b7fcd6817c5cfccefd6f30a4f54943@%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211004 [GitHub] [knox] zeroflag opened a new pull request #505: KNOX-2674 - Upgrade junit to 4.13.2 due to CVE-2020-15250", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf6e5d894d4b03bef537c9d6641272e0197c047c0d1982b4e176d0353@%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211004 [jira] [Work logged] (KNOX-2674) Upgrade junit to 4.13.2 due to CVE-2020-15250", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r687f489b10b0d14e46f626aa88476545e1a2600b24c4ebd3c0d2a10b@%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211004 [GitHub] [knox] zeroflag commented on pull request #505: KNOX-2674 - Upgrade junit to 4.13.2 due to CVE-2020-15250", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r934208a520b38f5cf0cae199b6b076bfe7d081809528b0eff2459e40@%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211008 [jira] [Commented] (KNOX-2674) Upgrade junit to 4.13.2 due to CVE-2020-15250", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r8b02dc6f18df11ff39eedb3038f1e31e6f90a779b1959bae65107279@%3Cdev.knox.apache.org%3E" }, { "name": "[knox-commits] 20211008 [knox] branch master updated: KNOX-2674 - Upgrade junit to 4.13.2 due to CVE-2020-15250 (#505)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9710067c7096b83cb6ae8f53a2f6f94e9c042d1bf1d6929f8f2a2b7a@%3Ccommits.knox.apache.org%3E" }, { "name": "[knox-dev] 20211008 [jira] [Resolved] (KNOX-2674) Upgrade junit to 4.13.2 due to CVE-2020-15250", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r1209986f79359b518d09513ff05a88e5b3c398540e775edea76a4774@%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211008 [jira] [Work logged] (KNOX-2674) Upgrade junit to 4.13.2 due to CVE-2020-15250", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r742b44fd75215fc75963b8ecc22b2e4372e68d67d3d859d2b5e8743f@%3Cdev.knox.apache.org%3E" }, { "name": "[knox-dev] 20211008 [GitHub] [knox] smolnar82 merged pull request #505: KNOX-2674 - Upgrade junit to 4.13.2 due to CVE-2020-15250", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb2ffe2993f4dccc48d832e1a0f1c419477781b6ea16e725ca2276dbb@%3Cdev.knox.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ] }, "source": { "advisory": "GHSA-269g-pwp5-87pp", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15250", "datePublished": "2020-10-12T17:55:13", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:23.218Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…