Fedora 35 update for apache-commons-beanutils, apache-commons-cli, apache-commons-codec, apache-commons-collections, apache-commons-compress, apache-commons-io, apache-commons-jxpath, apache-commons-lang3, apache-commons-logging, apache-commons-parent, ap



Risk High
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2020-8908
CVE-2020-13936
CWE-ID CWE-276
CWE-94
Exploitation vector Network
Public exploit N/A
Vulnerable software
Fedora
Operating systems & Components / Operating system

xz-java
Operating systems & Components / Operating system package or component

xmvn
Operating systems & Components / Operating system package or component

xmlunit
Operating systems & Components / Operating system package or component

xbean
Operating systems & Components / Operating system package or component

velocity
Operating systems & Components / Operating system package or component

univocity-parsers
Operating systems & Components / Operating system package or component

testng
Operating systems & Components / Operating system package or component

slf4j
Operating systems & Components / Operating system package or component

sisu-mojos
Operating systems & Components / Operating system package or component

sisu
Operating systems & Components / Operating system package or component

qdox
Operating systems & Components / Operating system package or component

plexus-utils
Operating systems & Components / Operating system package or component

plexus-sec-dispatcher
Operating systems & Components / Operating system package or component

plexus-resources
Operating systems & Components / Operating system package or component

plexus-pom
Operating systems & Components / Operating system package or component

plexus-languages
Operating systems & Components / Operating system package or component

plexus-io
Operating systems & Components / Operating system package or component

plexus-interpolation
Operating systems & Components / Operating system package or component

plexus-containers
Operating systems & Components / Operating system package or component

plexus-components-pom
Operating systems & Components / Operating system package or component

plexus-compiler
Operating systems & Components / Operating system package or component

plexus-classworlds
Operating systems & Components / Operating system package or component

plexus-cipher
Operating systems & Components / Operating system package or component

plexus-build-api
Operating systems & Components / Operating system package or component

plexus-archiver
Operating systems & Components / Operating system package or component

osgi-core
Operating systems & Components / Operating system package or component

osgi-compendium
Operating systems & Components / Operating system package or component

osgi-annotation
Operating systems & Components / Operating system package or component

opentest4j
Operating systems & Components / Operating system package or component

objenesis
Operating systems & Components / Operating system package or component

objectweb-asm
Operating systems & Components / Operating system package or component

munge-maven-plugin
Operating systems & Components / Operating system package or component

mojo-parent
Operating systems & Components / Operating system package or component

modello
Operating systems & Components / Operating system package or component

mockito
Operating systems & Components / Operating system package or component

maven-wagon
Operating systems & Components / Operating system package or component

maven-surefire
Operating systems & Components / Operating system package or component

maven-source-plugin
Operating systems & Components / Operating system package or component

maven-shared-utils
Operating systems & Components / Operating system package or component

maven-shared-io
Operating systems & Components / Operating system package or component

maven-shared-incremental
Operating systems & Components / Operating system package or component

maven-resources-plugin
Operating systems & Components / Operating system package or component

maven-resolver
Operating systems & Components / Operating system package or component

maven-remote-resources-plugin
Operating systems & Components / Operating system package or component

maven-plugin-tools
Operating systems & Components / Operating system package or component

maven-plugin-testing
Operating systems & Components / Operating system package or component

maven-plugin-bundle
Operating systems & Components / Operating system package or component

maven-plugin-build-helper
Operating systems & Components / Operating system package or component

maven-parent
Operating systems & Components / Operating system package or component

maven-jar-plugin
Operating systems & Components / Operating system package or component

maven-filtering
Operating systems & Components / Operating system package or component

maven-file-management
Operating systems & Components / Operating system package or component

maven-enforcer
Operating systems & Components / Operating system package or component

maven-dependency-tree
Operating systems & Components / Operating system package or component

maven-dependency-plugin
Operating systems & Components / Operating system package or component

maven-dependency-analyzer
Operating systems & Components / Operating system package or component

maven-compiler-plugin
Operating systems & Components / Operating system package or component

maven-common-artifact-filters
Operating systems & Components / Operating system package or component

maven-assembly-plugin
Operating systems & Components / Operating system package or component

maven-artifact-transfer
Operating systems & Components / Operating system package or component

maven-archiver
Operating systems & Components / Operating system package or component

maven-antrun-plugin
Operating systems & Components / Operating system package or component

maven
Operating systems & Components / Operating system package or component

junit5
Operating systems & Components / Operating system package or component

junit
Operating systems & Components / Operating system package or component

jsr-305
Operating systems & Components / Operating system package or component

jsoup
Operating systems & Components / Operating system package or component

jflex
Operating systems & Components / Operating system package or component

jdom2
Operating systems & Components / Operating system package or component

jdom
Operating systems & Components / Operating system package or component

javapackages-tools
Operating systems & Components / Operating system package or component

java_cup
Operating systems & Components / Operating system package or component

jansi
Operating systems & Components / Operating system package or component

jakarta-servlet
Operating systems & Components / Operating system package or component

jakarta-annotations
Operating systems & Components / Operating system package or component

httpcomponents-project
Operating systems & Components / Operating system package or component

httpcomponents-core
Operating systems & Components / Operating system package or component

httpcomponents-client
Operating systems & Components / Operating system package or component

hamcrest
Operating systems & Components / Operating system package or component

guava
Operating systems & Components / Operating system package or component

google-guice
Operating systems & Components / Operating system package or component

fusesource-pom
Operating systems & Components / Operating system package or component

felix-utils
Operating systems & Components / Operating system package or component

felix-parent
Operating systems & Components / Operating system package or component

easymock
Operating systems & Components / Operating system package or component

cglib
Operating systems & Components / Operating system package or component

cdi-api
Operating systems & Components / Operating system package or component

byte-buddy
Operating systems & Components / Operating system package or component

beust-jcommander
Operating systems & Components / Operating system package or component

atinject
Operating systems & Components / Operating system package or component

assertj-core
Operating systems & Components / Operating system package or component

aqute-bnd
Operating systems & Components / Operating system package or component

apiguardian
Operating systems & Components / Operating system package or component

apache-resource-bundles
Operating systems & Components / Operating system package or component

apache-parent
Operating systems & Components / Operating system package or component

apache-commons-parent
Operating systems & Components / Operating system package or component

apache-commons-logging
Operating systems & Components / Operating system package or component

apache-commons-lang3
Operating systems & Components / Operating system package or component

apache-commons-jxpath
Operating systems & Components / Operating system package or component

apache-commons-io
Operating systems & Components / Operating system package or component

apache-commons-compress
Operating systems & Components / Operating system package or component

apache-commons-collections
Operating systems & Components / Operating system package or component

apache-commons-codec
Operating systems & Components / Operating system package or component

apache-commons-cli
Operating systems & Components / Operating system package or component

apache-commons-beanutils
Operating systems & Components / Operating system package or component

Vendor Fedoraproject

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Incorrect default permissions

EUVDB-ID: #VU50139

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-8908

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for files located in the temporary directory set by the Guava com.google.common.io.Files.createTempDir(). A local user with access to the system can view contents of files and directories or modify them.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 35

xz-java: before 1.8-11.fc35

xmvn: before 4.0.0~20191028.da67577-6.fc35

xmlunit: before 2.8.2-2.fc35

xbean: before 4.18-2.fc35

velocity: before 1.7-35.fc35

univocity-parsers: before 2.9.1-2.fc35

testng: before 7.3.0-2.fc35

slf4j: before 1.7.30-9.fc35

sisu-mojos: before 0.3.4-7.fc35

sisu: before 0.3.4-5.fc35

qdox: before 2.0.0-5.fc35

plexus-utils: before 3.3.0-6.fc35

plexus-sec-dispatcher: before 1.4-33.fc35

plexus-resources: before 1.1.0-6.fc35

plexus-pom: before 7-2.fc35

plexus-languages: before 1.0.6-2.fc35

plexus-io: before 3.2.0-6.fc35

plexus-interpolation: before 1.26-7.fc35

plexus-containers: before 2.1.0-6.fc35

plexus-components-pom: before 6.5-3.fc35

plexus-compiler: before 2.8.8-2.fc35

plexus-classworlds: before 2.6.0-7.fc35

plexus-cipher: before 1.7-23.fc35

plexus-build-api: before 0.0.7-32.fc35

plexus-archiver: before 4.2.4-2.fc35

osgi-core: before 8.0.0-2.fc35

osgi-compendium: before 7.0.0-9.fc35

osgi-annotation: before 8.0.0-2.fc35

opentest4j: before 1.2.0-6.fc35

objenesis: before 3.1-6.fc35

objectweb-asm: before 9.1-2.fc35

munge-maven-plugin: before 1.0-20.fc35

mojo-parent: before 60-2.fc35

modello: before 1.11-5.fc35

mockito: before 3.7.13-2.fc35

maven-wagon: before 3.4.2-2.fc35

maven-surefire: before 3.0.0~M4-2.fc35

maven-source-plugin: before 3.2.1-5.fc35

maven-shared-utils: before 3.3.3-2.fc35

maven-shared-io: before 3.0.0-13.fc35

maven-shared-incremental: before 1.1-22.fc35

maven-resources-plugin: before 3.2.0-3.fc35

maven-resolver: before 1.6.1-2.fc35

maven-remote-resources-plugin: before 1.7.0-5.fc35

maven-plugin-tools: before 3.6.0-9.fc35

maven-plugin-testing: before 3.3.0-20.fc35

maven-plugin-bundle: before 5.1.1-2.fc35

maven-plugin-build-helper: before 3.2.0-4.fc35

maven-parent: before 34-7.fc35

maven-jar-plugin: before 3.2.0-6.fc35

maven-filtering: before 3.2.0-2.fc35

maven-file-management: before 3.0.0-13.fc35

maven-enforcer: before 3.0.0~M3-5.fc35

maven-dependency-tree: before 3.0.1-7.fc35

maven-dependency-plugin: before 3.1.2-6.fc35

maven-dependency-analyzer: before 1.11.3-3.fc35

maven-compiler-plugin: before 3.8.1-9.fc35

maven-common-artifact-filters: before 3.1.1-2.fc35

maven-assembly-plugin: before 3.3.0-5.fc35

maven-artifact-transfer: before 0.13.1-2.fc35

maven-archiver: before 3.5.1-2.fc35

maven-antrun-plugin: before 3.0.0-2.fc35

maven: before 3.6.3-9.fc35

junit5: before 5.7.1-2.fc35

junit: before 4.13.1-2.fc35

jsr-305: before 3.0.2-2.fc35

jsoup: before 1.13.1-6.fc35

jflex: before 1.7.0-6.fc35

jdom2: before 2.0.6-22.fc35

jdom: before 1.1.3-25.fc35

javapackages-tools: before 6.0.0~alpha-6.fc35

java_cup: before 0.11b-17.fc35

jansi: before 2.1.1-4.fc35

jakarta-servlet: before 5.0.0-6.fc35

jakarta-annotations: before 1.3.5-8.fc35

httpcomponents-project: before 12-3.fc35

httpcomponents-core: before 4.4.13-3.fc35

httpcomponents-client: before 4.5.11-3.fc35

hamcrest: before 2.2-3.fc35

guava: before 30.1-2.fc35

google-guice: before 4.2.3-5.fc35

fusesource-pom: before 1.12-7.fc35

felix-utils: before 1.11.6-2.fc35

felix-parent: before 7-5.fc35

easymock: before 4.2-3.fc35

cglib: before 3.3.0-3.fc35

cdi-api: before 2.0.2-2.fc35

byte-buddy: before 1.10.20-2.fc35

beust-jcommander: before 1.78-6.fc35

atinject: before 1.0.3-2.fc35

assertj-core: before 3.19.0-2.fc35

aqute-bnd: before 5.2.0-2.fc35

apiguardian: before 1.1.1-2.fc35

apache-resource-bundles: before 30-2.fc35

apache-parent: before 23-5.fc35

apache-commons-parent: before 52-3.fc35

apache-commons-logging: before 1.2-26.fc35

apache-commons-lang3: before 3.12.0-2.fc35

apache-commons-jxpath: before 1.3-39.fc35

apache-commons-io: before 2.8.0-4.fc35

apache-commons-compress: before 1.20-6.fc35

apache-commons-collections: before 3.2.2-23.fc35

apache-commons-codec: before 1.15-3.fc35

apache-commons-cli: before 1.4-13.fc35

apache-commons-beanutils: before 1.9.4-6.fc35

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2021-bcbca49b6d


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Code Injection

EUVDB-ID: #VU51511

Risk: High

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-13936

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker with ability to modify Velocity templates can inject and execute arbitrary Java code on the system with the same privileges as the account running the Servlet container.


Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 35

xz-java: before 1.8-11.fc35

xmvn: before 4.0.0~20191028.da67577-6.fc35

xmlunit: before 2.8.2-2.fc35

xbean: before 4.18-2.fc35

velocity: before 1.7-35.fc35

univocity-parsers: before 2.9.1-2.fc35

testng: before 7.3.0-2.fc35

slf4j: before 1.7.30-9.fc35

sisu-mojos: before 0.3.4-7.fc35

sisu: before 0.3.4-5.fc35

qdox: before 2.0.0-5.fc35

plexus-utils: before 3.3.0-6.fc35

plexus-sec-dispatcher: before 1.4-33.fc35

plexus-resources: before 1.1.0-6.fc35

plexus-pom: before 7-2.fc35

plexus-languages: before 1.0.6-2.fc35

plexus-io: before 3.2.0-6.fc35

plexus-interpolation: before 1.26-7.fc35

plexus-containers: before 2.1.0-6.fc35

plexus-components-pom: before 6.5-3.fc35

plexus-compiler: before 2.8.8-2.fc35

plexus-classworlds: before 2.6.0-7.fc35

plexus-cipher: before 1.7-23.fc35

plexus-build-api: before 0.0.7-32.fc35

plexus-archiver: before 4.2.4-2.fc35

osgi-core: before 8.0.0-2.fc35

osgi-compendium: before 7.0.0-9.fc35

osgi-annotation: before 8.0.0-2.fc35

opentest4j: before 1.2.0-6.fc35

objenesis: before 3.1-6.fc35

objectweb-asm: before 9.1-2.fc35

munge-maven-plugin: before 1.0-20.fc35

mojo-parent: before 60-2.fc35

modello: before 1.11-5.fc35

mockito: before 3.7.13-2.fc35

maven-wagon: before 3.4.2-2.fc35

maven-surefire: before 3.0.0~M4-2.fc35

maven-source-plugin: before 3.2.1-5.fc35

maven-shared-utils: before 3.3.3-2.fc35

maven-shared-io: before 3.0.0-13.fc35

maven-shared-incremental: before 1.1-22.fc35

maven-resources-plugin: before 3.2.0-3.fc35

maven-resolver: before 1.6.1-2.fc35

maven-remote-resources-plugin: before 1.7.0-5.fc35

maven-plugin-tools: before 3.6.0-9.fc35

maven-plugin-testing: before 3.3.0-20.fc35

maven-plugin-bundle: before 5.1.1-2.fc35

maven-plugin-build-helper: before 3.2.0-4.fc35

maven-parent: before 34-7.fc35

maven-jar-plugin: before 3.2.0-6.fc35

maven-filtering: before 3.2.0-2.fc35

maven-file-management: before 3.0.0-13.fc35

maven-enforcer: before 3.0.0~M3-5.fc35

maven-dependency-tree: before 3.0.1-7.fc35

maven-dependency-plugin: before 3.1.2-6.fc35

maven-dependency-analyzer: before 1.11.3-3.fc35

maven-compiler-plugin: before 3.8.1-9.fc35

maven-common-artifact-filters: before 3.1.1-2.fc35

maven-assembly-plugin: before 3.3.0-5.fc35

maven-artifact-transfer: before 0.13.1-2.fc35

maven-archiver: before 3.5.1-2.fc35

maven-antrun-plugin: before 3.0.0-2.fc35

maven: before 3.6.3-9.fc35

junit5: before 5.7.1-2.fc35

junit: before 4.13.1-2.fc35

jsr-305: before 3.0.2-2.fc35

jsoup: before 1.13.1-6.fc35

jflex: before 1.7.0-6.fc35

jdom2: before 2.0.6-22.fc35

jdom: before 1.1.3-25.fc35

javapackages-tools: before 6.0.0~alpha-6.fc35

java_cup: before 0.11b-17.fc35

jansi: before 2.1.1-4.fc35

jakarta-servlet: before 5.0.0-6.fc35

jakarta-annotations: before 1.3.5-8.fc35

httpcomponents-project: before 12-3.fc35

httpcomponents-core: before 4.4.13-3.fc35

httpcomponents-client: before 4.5.11-3.fc35

hamcrest: before 2.2-3.fc35

guava: before 30.1-2.fc35

google-guice: before 4.2.3-5.fc35

fusesource-pom: before 1.12-7.fc35

felix-utils: before 1.11.6-2.fc35

felix-parent: before 7-5.fc35

easymock: before 4.2-3.fc35

cglib: before 3.3.0-3.fc35

cdi-api: before 2.0.2-2.fc35

byte-buddy: before 1.10.20-2.fc35

beust-jcommander: before 1.78-6.fc35

atinject: before 1.0.3-2.fc35

assertj-core: before 3.19.0-2.fc35

aqute-bnd: before 5.2.0-2.fc35

apiguardian: before 1.1.1-2.fc35

apache-resource-bundles: before 30-2.fc35

apache-parent: before 23-5.fc35

apache-commons-parent: before 52-3.fc35

apache-commons-logging: before 1.2-26.fc35

apache-commons-lang3: before 3.12.0-2.fc35

apache-commons-jxpath: before 1.3-39.fc35

apache-commons-io: before 2.8.0-4.fc35

apache-commons-compress: before 1.20-6.fc35

apache-commons-collections: before 3.2.2-23.fc35

apache-commons-codec: before 1.15-3.fc35

apache-commons-cli: before 1.4-13.fc35

apache-commons-beanutils: before 1.9.4-6.fc35

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2021-bcbca49b6d


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###