Fedora 35 update for apache-commons-beanutils, apache-commons-cli, apache-commons-codec, apache-commons-collections, apache-commons-compress, apache-commons-io, apache-commons-jxpath, apache-commons-lang3, apache-commons-logging, apache-commons-parent, ap

Published: 2021-05-24

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2020-8908 CVE-2020-13936
CWE-ID	CWE-276 CWE-94
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Fedora Operating systems & Components / Operating system xz-java Operating systems & Components / Operating system package or component xmvn Operating systems & Components / Operating system package or component xmlunit Operating systems & Components / Operating system package or component xbean Operating systems & Components / Operating system package or component velocity Operating systems & Components / Operating system package or component univocity-parsers Operating systems & Components / Operating system package or component testng Operating systems & Components / Operating system package or component slf4j Operating systems & Components / Operating system package or component sisu-mojos Operating systems & Components / Operating system package or component sisu Operating systems & Components / Operating system package or component qdox Operating systems & Components / Operating system package or component plexus-utils Operating systems & Components / Operating system package or component plexus-sec-dispatcher Operating systems & Components / Operating system package or component plexus-resources Operating systems & Components / Operating system package or component plexus-pom Operating systems & Components / Operating system package or component plexus-languages Operating systems & Components / Operating system package or component plexus-io Operating systems & Components / Operating system package or component plexus-interpolation Operating systems & Components / Operating system package or component plexus-containers Operating systems & Components / Operating system package or component plexus-components-pom Operating systems & Components / Operating system package or component plexus-compiler Operating systems & Components / Operating system package or component plexus-classworlds Operating systems & Components / Operating system package or component plexus-cipher Operating systems & Components / Operating system package or component plexus-build-api Operating systems & Components / Operating system package or component plexus-archiver Operating systems & Components / Operating system package or component osgi-core Operating systems & Components / Operating system package or component osgi-compendium Operating systems & Components / Operating system package or component osgi-annotation Operating systems & Components / Operating system package or component opentest4j Operating systems & Components / Operating system package or component objenesis Operating systems & Components / Operating system package or component objectweb-asm Operating systems & Components / Operating system package or component munge-maven-plugin Operating systems & Components / Operating system package or component mojo-parent Operating systems & Components / Operating system package or component modello Operating systems & Components / Operating system package or component mockito Operating systems & Components / Operating system package or component maven-wagon Operating systems & Components / Operating system package or component maven-surefire Operating systems & Components / Operating system package or component maven-source-plugin Operating systems & Components / Operating system package or component maven-shared-utils Operating systems & Components / Operating system package or component maven-shared-io Operating systems & Components / Operating system package or component maven-shared-incremental Operating systems & Components / Operating system package or component maven-resources-plugin Operating systems & Components / Operating system package or component maven-resolver Operating systems & Components / Operating system package or component maven-remote-resources-plugin Operating systems & Components / Operating system package or component maven-plugin-tools Operating systems & Components / Operating system package or component maven-plugin-testing Operating systems & Components / Operating system package or component maven-plugin-bundle Operating systems & Components / Operating system package or component maven-plugin-build-helper Operating systems & Components / Operating system package or component maven-parent Operating systems & Components / Operating system package or component maven-jar-plugin Operating systems & Components / Operating system package or component maven-filtering Operating systems & Components / Operating system package or component maven-file-management Operating systems & Components / Operating system package or component maven-enforcer Operating systems & Components / Operating system package or component maven-dependency-tree Operating systems & Components / Operating system package or component maven-dependency-plugin Operating systems & Components / Operating system package or component maven-dependency-analyzer Operating systems & Components / Operating system package or component maven-compiler-plugin Operating systems & Components / Operating system package or component maven-common-artifact-filters Operating systems & Components / Operating system package or component maven-assembly-plugin Operating systems & Components / Operating system package or component maven-artifact-transfer Operating systems & Components / Operating system package or component maven-archiver Operating systems & Components / Operating system package or component maven-antrun-plugin Operating systems & Components / Operating system package or component maven Operating systems & Components / Operating system package or component junit5 Operating systems & Components / Operating system package or component junit Operating systems & Components / Operating system package or component jsr-305 Operating systems & Components / Operating system package or component jsoup Operating systems & Components / Operating system package or component jflex Operating systems & Components / Operating system package or component jdom2 Operating systems & Components / Operating system package or component jdom Operating systems & Components / Operating system package or component javapackages-tools Operating systems & Components / Operating system package or component java_cup Operating systems & Components / Operating system package or component jansi Operating systems & Components / Operating system package or component jakarta-servlet Operating systems & Components / Operating system package or component jakarta-annotations Operating systems & Components / Operating system package or component httpcomponents-project Operating systems & Components / Operating system package or component httpcomponents-core Operating systems & Components / Operating system package or component httpcomponents-client Operating systems & Components / Operating system package or component hamcrest Operating systems & Components / Operating system package or component guava Operating systems & Components / Operating system package or component google-guice Operating systems & Components / Operating system package or component fusesource-pom Operating systems & Components / Operating system package or component felix-utils Operating systems & Components / Operating system package or component felix-parent Operating systems & Components / Operating system package or component easymock Operating systems & Components / Operating system package or component cglib Operating systems & Components / Operating system package or component cdi-api Operating systems & Components / Operating system package or component byte-buddy Operating systems & Components / Operating system package or component beust-jcommander Operating systems & Components / Operating system package or component atinject Operating systems & Components / Operating system package or component assertj-core Operating systems & Components / Operating system package or component aqute-bnd Operating systems & Components / Operating system package or component apiguardian Operating systems & Components / Operating system package or component apache-resource-bundles Operating systems & Components / Operating system package or component apache-parent Operating systems & Components / Operating system package or component apache-commons-parent Operating systems & Components / Operating system package or component apache-commons-logging Operating systems & Components / Operating system package or component apache-commons-lang3 Operating systems & Components / Operating system package or component apache-commons-jxpath Operating systems & Components / Operating system package or component apache-commons-io Operating systems & Components / Operating system package or component apache-commons-compress Operating systems & Components / Operating system package or component apache-commons-collections Operating systems & Components / Operating system package or component apache-commons-codec Operating systems & Components / Operating system package or component apache-commons-cli Operating systems & Components / Operating system package or component apache-commons-beanutils Operating systems & Components / Operating system package or component
Vendor	Fedoraproject

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Incorrect default permissions

EUVDB-ID: #VU50139

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-8908

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for files located in the temporary directory set by the Guava com.google.common.io.Files.createTempDir(). A local user with access to the system can view contents of files and directories or modify them.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 35

xz-java: before 1.8-11.fc35

xmvn: before 4.0.0~20191028.da67577-6.fc35

xmlunit: before 2.8.2-2.fc35

xbean: before 4.18-2.fc35

velocity: before 1.7-35.fc35

univocity-parsers: before 2.9.1-2.fc35

testng: before 7.3.0-2.fc35

slf4j: before 1.7.30-9.fc35

sisu-mojos: before 0.3.4-7.fc35

sisu: before 0.3.4-5.fc35

qdox: before 2.0.0-5.fc35

plexus-utils: before 3.3.0-6.fc35

plexus-sec-dispatcher: before 1.4-33.fc35

plexus-resources: before 1.1.0-6.fc35

plexus-pom: before 7-2.fc35

plexus-languages: before 1.0.6-2.fc35

plexus-io: before 3.2.0-6.fc35

plexus-interpolation: before 1.26-7.fc35

plexus-containers: before 2.1.0-6.fc35

plexus-components-pom: before 6.5-3.fc35

plexus-compiler: before 2.8.8-2.fc35

plexus-classworlds: before 2.6.0-7.fc35

plexus-cipher: before 1.7-23.fc35

plexus-build-api: before 0.0.7-32.fc35

plexus-archiver: before 4.2.4-2.fc35

osgi-core: before 8.0.0-2.fc35

osgi-compendium: before 7.0.0-9.fc35

osgi-annotation: before 8.0.0-2.fc35

opentest4j: before 1.2.0-6.fc35

objenesis: before 3.1-6.fc35

objectweb-asm: before 9.1-2.fc35

munge-maven-plugin: before 1.0-20.fc35

mojo-parent: before 60-2.fc35

modello: before 1.11-5.fc35

mockito: before 3.7.13-2.fc35

maven-wagon: before 3.4.2-2.fc35

maven-surefire: before 3.0.0~M4-2.fc35

maven-source-plugin: before 3.2.1-5.fc35

maven-shared-utils: before 3.3.3-2.fc35

maven-shared-io: before 3.0.0-13.fc35

maven-shared-incremental: before 1.1-22.fc35

maven-resources-plugin: before 3.2.0-3.fc35

maven-resolver: before 1.6.1-2.fc35

maven-remote-resources-plugin: before 1.7.0-5.fc35

maven-plugin-tools: before 3.6.0-9.fc35

maven-plugin-testing: before 3.3.0-20.fc35

maven-plugin-bundle: before 5.1.1-2.fc35

maven-plugin-build-helper: before 3.2.0-4.fc35

maven-parent: before 34-7.fc35

maven-jar-plugin: before 3.2.0-6.fc35

maven-filtering: before 3.2.0-2.fc35

maven-file-management: before 3.0.0-13.fc35

maven-enforcer: before 3.0.0~M3-5.fc35

maven-dependency-tree: before 3.0.1-7.fc35

maven-dependency-plugin: before 3.1.2-6.fc35

maven-dependency-analyzer: before 1.11.3-3.fc35

maven-compiler-plugin: before 3.8.1-9.fc35

maven-common-artifact-filters: before 3.1.1-2.fc35

maven-assembly-plugin: before 3.3.0-5.fc35

maven-artifact-transfer: before 0.13.1-2.fc35

maven-archiver: before 3.5.1-2.fc35

maven-antrun-plugin: before 3.0.0-2.fc35

maven: before 3.6.3-9.fc35

junit5: before 5.7.1-2.fc35

junit: before 4.13.1-2.fc35

jsr-305: before 3.0.2-2.fc35

jsoup: before 1.13.1-6.fc35

jflex: before 1.7.0-6.fc35

jdom2: before 2.0.6-22.fc35

jdom: before 1.1.3-25.fc35

javapackages-tools: before 6.0.0~alpha-6.fc35

java_cup: before 0.11b-17.fc35

jansi: before 2.1.1-4.fc35

jakarta-servlet: before 5.0.0-6.fc35

jakarta-annotations: before 1.3.5-8.fc35

httpcomponents-project: before 12-3.fc35

httpcomponents-core: before 4.4.13-3.fc35

httpcomponents-client: before 4.5.11-3.fc35

hamcrest: before 2.2-3.fc35

guava: before 30.1-2.fc35

google-guice: before 4.2.3-5.fc35

fusesource-pom: before 1.12-7.fc35

felix-utils: before 1.11.6-2.fc35

felix-parent: before 7-5.fc35

easymock: before 4.2-3.fc35

cglib: before 3.3.0-3.fc35

cdi-api: before 2.0.2-2.fc35

byte-buddy: before 1.10.20-2.fc35

beust-jcommander: before 1.78-6.fc35

atinject: before 1.0.3-2.fc35

assertj-core: before 3.19.0-2.fc35

aqute-bnd: before 5.2.0-2.fc35

apiguardian: before 1.1.1-2.fc35

apache-resource-bundles: before 30-2.fc35

apache-parent: before 23-5.fc35

apache-commons-parent: before 52-3.fc35

apache-commons-logging: before 1.2-26.fc35

apache-commons-lang3: before 3.12.0-2.fc35

apache-commons-jxpath: before 1.3-39.fc35

apache-commons-io: before 2.8.0-4.fc35

apache-commons-compress: before 1.20-6.fc35

apache-commons-collections: before 3.2.2-23.fc35

apache-commons-codec: before 1.15-3.fc35

apache-commons-cli: before 1.4-13.fc35

apache-commons-beanutils: before 1.9.4-6.fc35

CPE2.3

External links

https://bodhi.fedoraproject.org/updates/FEDORA-2021-bcbca49b6d

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Code Injection

EUVDB-ID: #VU51511

Risk: High

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-13936

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')