CVE-2020-15250

CWE-200Information ExposureCWE-732Incorrect Permission Assignment14 documents10 sources
Severity
5.5MEDIUM
EPSS
0.1%
top 77.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Junit-team Junit4Apache PlutoJunit Junit4+2 more
Timeline
PublishedOct 12
Latest updateOct 15

Description

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an inform

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 0.8 | Impact: 3.6

Affected Packages6 packages

NVDjunit/junit44.74.13.1
CVEListV5junit-team/junit4< 4.13.1
Debianjunit4< 4.13.1-1+3
Mavenjunit:junit4.74.13.1
NVDapache/pluto< 3.1.1

Also affects: Debian Linux 9.0

Patches

Patch: github.comPatch: www.oracle.comPatch: github.com

🔴Vulnerability Details

4
CVEList
Information disclosure in JUnit42020-10-12
OSV
TemporaryFolder on unix-like systems does not limit access to created files2020-10-12
GHSA
TemporaryFolder on unix-like systems does not limit access to created files2020-10-12
OSV
CVE-2020-15250: In JUnit4 from version 42020-10-12

📋Vendor Advisories

8
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (GlassFish Server) — CVE-2020-152502025-10-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Infrastructure (Jakarta Expression Language) — CVE-2020-152502024-01-15
Oracle
Oracle Oracle JD Edwards Risk Matrix: Business Logic Infra SEC (jUnit) — CVE-2020-152502023-04-15
Oracle
Oracle Oracle Communications Risk Matrix: Policy (JUnit) — CVE-2020-152502022-04-15
Ubuntu
JUnit 4 vulnerability2021-02-10

💬Community

1
Bugzilla
CVE-2020-15250 junit4: TemporaryFolder is shared between all users across system which could result in information disclosure2020-10-13
CVE-2020-15250 (MEDIUM CVSS 5.5) | In JUnit4 from version 4.7 and befo | cvebase.io