Risk | High |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2020-8908 CVE-2020-13936 |
CWE-ID | CWE-276 CWE-94 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software |
Fedora Operating systems & Components / Operating system xz-java Operating systems & Components / Operating system package or component xmvn Operating systems & Components / Operating system package or component xmlunit Operating systems & Components / Operating system package or component xbean Operating systems & Components / Operating system package or component velocity Operating systems & Components / Operating system package or component univocity-parsers Operating systems & Components / Operating system package or component testng Operating systems & Components / Operating system package or component slf4j Operating systems & Components / Operating system package or component sisu-mojos Operating systems & Components / Operating system package or component sisu Operating systems & Components / Operating system package or component qdox Operating systems & Components / Operating system package or component plexus-utils Operating systems & Components / Operating system package or component plexus-sec-dispatcher Operating systems & Components / Operating system package or component plexus-resources Operating systems & Components / Operating system package or component plexus-pom Operating systems & Components / Operating system package or component plexus-languages Operating systems & Components / Operating system package or component plexus-io Operating systems & Components / Operating system package or component plexus-interpolation Operating systems & Components / Operating system package or component plexus-containers Operating systems & Components / Operating system package or component plexus-components-pom Operating systems & Components / Operating system package or component plexus-compiler Operating systems & Components / Operating system package or component plexus-classworlds Operating systems & Components / Operating system package or component plexus-cipher Operating systems & Components / Operating system package or component plexus-build-api Operating systems & Components / Operating system package or component plexus-archiver Operating systems & Components / Operating system package or component osgi-core Operating systems & Components / Operating system package or component osgi-compendium Operating systems & Components / Operating system package or component osgi-annotation Operating systems & Components / Operating system package or component opentest4j Operating systems & Components / Operating system package or component objenesis Operating systems & Components / Operating system package or component objectweb-asm Operating systems & Components / Operating system package or component munge-maven-plugin Operating systems & Components / Operating system package or component mojo-parent Operating systems & Components / Operating system package or component modello Operating systems & Components / Operating system package or component mockito Operating systems & Components / Operating system package or component maven-wagon Operating systems & Components / Operating system package or component maven-surefire Operating systems & Components / Operating system package or component maven-source-plugin Operating systems & Components / Operating system package or component maven-shared-utils Operating systems & Components / Operating system package or component maven-shared-io Operating systems & Components / Operating system package or component maven-shared-incremental Operating systems & Components / Operating system package or component maven-resources-plugin Operating systems & Components / Operating system package or component maven-resolver Operating systems & Components / Operating system package or component maven-remote-resources-plugin Operating systems & Components / Operating system package or component maven-plugin-tools Operating systems & Components / Operating system package or component maven-plugin-testing Operating systems & Components / Operating system package or component maven-plugin-bundle Operating systems & Components / Operating system package or component maven-plugin-build-helper Operating systems & Components / Operating system package or component maven-parent Operating systems & Components / Operating system package or component maven-jar-plugin Operating systems & Components / Operating system package or component maven-filtering Operating systems & Components / Operating system package or component maven-file-management Operating systems & Components / Operating system package or component maven-enforcer Operating systems & Components / Operating system package or component maven-dependency-tree Operating systems & Components / Operating system package or component maven-dependency-plugin Operating systems & Components / Operating system package or component maven-dependency-analyzer Operating systems & Components / Operating system package or component maven-compiler-plugin Operating systems & Components / Operating system package or component maven-common-artifact-filters Operating systems & Components / Operating system package or component maven-assembly-plugin Operating systems & Components / Operating system package or component maven-artifact-transfer Operating systems & Components / Operating system package or component maven-archiver Operating systems & Components / Operating system package or component maven-antrun-plugin Operating systems & Components / Operating system package or component maven Operating systems & Components / Operating system package or component junit5 Operating systems & Components / Operating system package or component junit Operating systems & Components / Operating system package or component jsr-305 Operating systems & Components / Operating system package or component jsoup Operating systems & Components / Operating system package or component jflex Operating systems & Components / Operating system package or component jdom2 Operating systems & Components / Operating system package or component jdom Operating systems & Components / Operating system package or component javapackages-tools Operating systems & Components / Operating system package or component java_cup Operating systems & Components / Operating system package or component jansi Operating systems & Components / Operating system package or component jakarta-servlet Operating systems & Components / Operating system package or component jakarta-annotations Operating systems & Components / Operating system package or component httpcomponents-project Operating systems & Components / Operating system package or component httpcomponents-core Operating systems & Components / Operating system package or component httpcomponents-client Operating systems & Components / Operating system package or component hamcrest Operating systems & Components / Operating system package or component guava Operating systems & Components / Operating system package or component google-guice Operating systems & Components / Operating system package or component fusesource-pom Operating systems & Components / Operating system package or component felix-utils Operating systems & Components / Operating system package or component felix-parent Operating systems & Components / Operating system package or component easymock Operating systems & Components / Operating system package or component cglib Operating systems & Components / Operating system package or component cdi-api Operating systems & Components / Operating system package or component byte-buddy Operating systems & Components / Operating system package or component beust-jcommander Operating systems & Components / Operating system package or component atinject Operating systems & Components / Operating system package or component assertj-core Operating systems & Components / Operating system package or component aqute-bnd Operating systems & Components / Operating system package or component apiguardian Operating systems & Components / Operating system package or component apache-resource-bundles Operating systems & Components / Operating system package or component apache-parent Operating systems & Components / Operating system package or component apache-commons-parent Operating systems & Components / Operating system package or component apache-commons-logging Operating systems & Components / Operating system package or component apache-commons-lang3 Operating systems & Components / Operating system package or component apache-commons-jxpath Operating systems & Components / Operating system package or component apache-commons-io Operating systems & Components / Operating system package or component apache-commons-compress Operating systems & Components / Operating system package or component apache-commons-collections Operating systems & Components / Operating system package or component apache-commons-codec Operating systems & Components / Operating system package or component apache-commons-cli Operating systems & Components / Operating system package or component apache-commons-beanutils Operating systems & Components / Operating system package or component |
Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU50139
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-8908
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for files located in the temporary directory set by the Guava com.google.common.io.Files.createTempDir(). A local user with access to the system can view contents of files and directories or modify them.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 35
xz-java: before 1.8-11.fc35
xmvn: before 4.0.0~20191028.da67577-6.fc35
xmlunit: before 2.8.2-2.fc35
xbean: before 4.18-2.fc35
velocity: before 1.7-35.fc35
univocity-parsers: before 2.9.1-2.fc35
testng: before 7.3.0-2.fc35
slf4j: before 1.7.30-9.fc35
sisu-mojos: before 0.3.4-7.fc35
sisu: before 0.3.4-5.fc35
qdox: before 2.0.0-5.fc35
plexus-utils: before 3.3.0-6.fc35
plexus-sec-dispatcher: before 1.4-33.fc35
plexus-resources: before 1.1.0-6.fc35
plexus-pom: before 7-2.fc35
plexus-languages: before 1.0.6-2.fc35
plexus-io: before 3.2.0-6.fc35
plexus-interpolation: before 1.26-7.fc35
plexus-containers: before 2.1.0-6.fc35
plexus-components-pom: before 6.5-3.fc35
plexus-compiler: before 2.8.8-2.fc35
plexus-classworlds: before 2.6.0-7.fc35
plexus-cipher: before 1.7-23.fc35
plexus-build-api: before 0.0.7-32.fc35
plexus-archiver: before 4.2.4-2.fc35
osgi-core: before 8.0.0-2.fc35
osgi-compendium: before 7.0.0-9.fc35
osgi-annotation: before 8.0.0-2.fc35
opentest4j: before 1.2.0-6.fc35
objenesis: before 3.1-6.fc35
objectweb-asm: before 9.1-2.fc35
munge-maven-plugin: before 1.0-20.fc35
mojo-parent: before 60-2.fc35
modello: before 1.11-5.fc35
mockito: before 3.7.13-2.fc35
maven-wagon: before 3.4.2-2.fc35
maven-surefire: before 3.0.0~M4-2.fc35
maven-source-plugin: before 3.2.1-5.fc35
maven-shared-utils: before 3.3.3-2.fc35
maven-shared-io: before 3.0.0-13.fc35
maven-shared-incremental: before 1.1-22.fc35
maven-resources-plugin: before 3.2.0-3.fc35
maven-resolver: before 1.6.1-2.fc35
maven-remote-resources-plugin: before 1.7.0-5.fc35
maven-plugin-tools: before 3.6.0-9.fc35
maven-plugin-testing: before 3.3.0-20.fc35
maven-plugin-bundle: before 5.1.1-2.fc35
maven-plugin-build-helper: before 3.2.0-4.fc35
maven-parent: before 34-7.fc35
maven-jar-plugin: before 3.2.0-6.fc35
maven-filtering: before 3.2.0-2.fc35
maven-file-management: before 3.0.0-13.fc35
maven-enforcer: before 3.0.0~M3-5.fc35
maven-dependency-tree: before 3.0.1-7.fc35
maven-dependency-plugin: before 3.1.2-6.fc35
maven-dependency-analyzer: before 1.11.3-3.fc35
maven-compiler-plugin: before 3.8.1-9.fc35
maven-common-artifact-filters: before 3.1.1-2.fc35
maven-assembly-plugin: before 3.3.0-5.fc35
maven-artifact-transfer: before 0.13.1-2.fc35
maven-archiver: before 3.5.1-2.fc35
maven-antrun-plugin: before 3.0.0-2.fc35
maven: before 3.6.3-9.fc35
junit5: before 5.7.1-2.fc35
junit: before 4.13.1-2.fc35
jsr-305: before 3.0.2-2.fc35
jsoup: before 1.13.1-6.fc35
jflex: before 1.7.0-6.fc35
jdom2: before 2.0.6-22.fc35
jdom: before 1.1.3-25.fc35
javapackages-tools: before 6.0.0~alpha-6.fc35
java_cup: before 0.11b-17.fc35
jansi: before 2.1.1-4.fc35
jakarta-servlet: before 5.0.0-6.fc35
jakarta-annotations: before 1.3.5-8.fc35
httpcomponents-project: before 12-3.fc35
httpcomponents-core: before 4.4.13-3.fc35
httpcomponents-client: before 4.5.11-3.fc35
hamcrest: before 2.2-3.fc35
guava: before 30.1-2.fc35
google-guice: before 4.2.3-5.fc35
fusesource-pom: before 1.12-7.fc35
felix-utils: before 1.11.6-2.fc35
felix-parent: before 7-5.fc35
easymock: before 4.2-3.fc35
cglib: before 3.3.0-3.fc35
cdi-api: before 2.0.2-2.fc35
byte-buddy: before 1.10.20-2.fc35
beust-jcommander: before 1.78-6.fc35
atinject: before 1.0.3-2.fc35
assertj-core: before 3.19.0-2.fc35
aqute-bnd: before 5.2.0-2.fc35
apiguardian: before 1.1.1-2.fc35
apache-resource-bundles: before 30-2.fc35
apache-parent: before 23-5.fc35
apache-commons-parent: before 52-3.fc35
apache-commons-logging: before 1.2-26.fc35
apache-commons-lang3: before 3.12.0-2.fc35
apache-commons-jxpath: before 1.3-39.fc35
apache-commons-io: before 2.8.0-4.fc35
apache-commons-compress: before 1.20-6.fc35
apache-commons-collections: before 3.2.2-23.fc35
apache-commons-codec: before 1.15-3.fc35
apache-commons-cli: before 1.4-13.fc35
apache-commons-beanutils: before 1.9.4-6.fc35
CPE2.3https://bodhi.fedoraproject.org/updates/FEDORA-2021-bcbca49b6d
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU51511
Risk: High
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-13936
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote attacker with ability to modify Velocity templates can inject and execute arbitrary Java code on the system with the same privileges as the account running the Servlet container.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 35
xz-java: before 1.8-11.fc35
xmvn: before 4.0.0~20191028.da67577-6.fc35
xmlunit: before 2.8.2-2.fc35
xbean: before 4.18-2.fc35
velocity: before 1.7-35.fc35
univocity-parsers: before 2.9.1-2.fc35
testng: before 7.3.0-2.fc35
slf4j: before 1.7.30-9.fc35
sisu-mojos: before 0.3.4-7.fc35
sisu: before 0.3.4-5.fc35
qdox: before 2.0.0-5.fc35
plexus-utils: before 3.3.0-6.fc35
plexus-sec-dispatcher: before 1.4-33.fc35
plexus-resources: before 1.1.0-6.fc35
plexus-pom: before 7-2.fc35
plexus-languages: before 1.0.6-2.fc35
plexus-io: before 3.2.0-6.fc35
plexus-interpolation: before 1.26-7.fc35
plexus-containers: before 2.1.0-6.fc35
plexus-components-pom: before 6.5-3.fc35
plexus-compiler: before 2.8.8-2.fc35
plexus-classworlds: before 2.6.0-7.fc35
plexus-cipher: before 1.7-23.fc35
plexus-build-api: before 0.0.7-32.fc35
plexus-archiver: before 4.2.4-2.fc35
osgi-core: before 8.0.0-2.fc35
osgi-compendium: before 7.0.0-9.fc35
osgi-annotation: before 8.0.0-2.fc35
opentest4j: before 1.2.0-6.fc35
objenesis: before 3.1-6.fc35
objectweb-asm: before 9.1-2.fc35
munge-maven-plugin: before 1.0-20.fc35
mojo-parent: before 60-2.fc35
modello: before 1.11-5.fc35
mockito: before 3.7.13-2.fc35
maven-wagon: before 3.4.2-2.fc35
maven-surefire: before 3.0.0~M4-2.fc35
maven-source-plugin: before 3.2.1-5.fc35
maven-shared-utils: before 3.3.3-2.fc35
maven-shared-io: before 3.0.0-13.fc35
maven-shared-incremental: before 1.1-22.fc35
maven-resources-plugin: before 3.2.0-3.fc35
maven-resolver: before 1.6.1-2.fc35
maven-remote-resources-plugin: before 1.7.0-5.fc35
maven-plugin-tools: before 3.6.0-9.fc35
maven-plugin-testing: before 3.3.0-20.fc35
maven-plugin-bundle: before 5.1.1-2.fc35
maven-plugin-build-helper: before 3.2.0-4.fc35
maven-parent: before 34-7.fc35
maven-jar-plugin: before 3.2.0-6.fc35
maven-filtering: before 3.2.0-2.fc35
maven-file-management: before 3.0.0-13.fc35
maven-enforcer: before 3.0.0~M3-5.fc35
maven-dependency-tree: before 3.0.1-7.fc35
maven-dependency-plugin: before 3.1.2-6.fc35
maven-dependency-analyzer: before 1.11.3-3.fc35
maven-compiler-plugin: before 3.8.1-9.fc35
maven-common-artifact-filters: before 3.1.1-2.fc35
maven-assembly-plugin: before 3.3.0-5.fc35
maven-artifact-transfer: before 0.13.1-2.fc35
maven-archiver: before 3.5.1-2.fc35
maven-antrun-plugin: before 3.0.0-2.fc35
maven: before 3.6.3-9.fc35
junit5: before 5.7.1-2.fc35
junit: before 4.13.1-2.fc35
jsr-305: before 3.0.2-2.fc35
jsoup: before 1.13.1-6.fc35
jflex: before 1.7.0-6.fc35
jdom2: before 2.0.6-22.fc35
jdom: before 1.1.3-25.fc35
javapackages-tools: before 6.0.0~alpha-6.fc35
java_cup: before 0.11b-17.fc35
jansi: before 2.1.1-4.fc35
jakarta-servlet: before 5.0.0-6.fc35
jakarta-annotations: before 1.3.5-8.fc35
httpcomponents-project: before 12-3.fc35
httpcomponents-core: before 4.4.13-3.fc35
httpcomponents-client: before 4.5.11-3.fc35
hamcrest: before 2.2-3.fc35
guava: before 30.1-2.fc35
google-guice: before 4.2.3-5.fc35
fusesource-pom: before 1.12-7.fc35
felix-utils: before 1.11.6-2.fc35
felix-parent: before 7-5.fc35
easymock: before 4.2-3.fc35
cglib: before 3.3.0-3.fc35
cdi-api: before 2.0.2-2.fc35
byte-buddy: before 1.10.20-2.fc35
beust-jcommander: before 1.78-6.fc35
atinject: before 1.0.3-2.fc35
assertj-core: before 3.19.0-2.fc35
aqute-bnd: before 5.2.0-2.fc35
apiguardian: before 1.1.1-2.fc35
apache-resource-bundles: before 30-2.fc35
apache-parent: before 23-5.fc35
apache-commons-parent: before 52-3.fc35
apache-commons-logging: before 1.2-26.fc35
apache-commons-lang3: before 3.12.0-2.fc35
apache-commons-jxpath: before 1.3-39.fc35
apache-commons-io: before 2.8.0-4.fc35
apache-commons-compress: before 1.20-6.fc35
apache-commons-collections: before 3.2.2-23.fc35
apache-commons-codec: before 1.15-3.fc35
apache-commons-cli: before 1.4-13.fc35
apache-commons-beanutils: before 1.9.4-6.fc35
CPE2.3https://bodhi.fedoraproject.org/updates/FEDORA-2021-bcbca49b6d
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.