CVE-2020-17521 [Medium] | Security Vulnerability in Groovy

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	2.43%	1.05%	-1.38%
2	2026-03-21	1.79%	2.43%	+0.64%
3	2026-03-04	—	1.79%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

2.43%

1.05%

-1.38%

2026-03-21

1.79%

2.43%

+0.64%

2026-03-04

—

1.79%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.5	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	1.8	3.6	[email protected]
2.1	2.0	LOW	`AV:L/AC:L/Au:N/C:P/I:N/A:N` Click to expand Access vector (AV:L) Requires local access to the target system. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:N) No integrity impact. Availability impact (A:N) No availability impact.	3.9	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.5

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:N): Service keeps running; no real outage angle.

1.8

3.6

[email protected]

2.1

2.0

LOW

AV:L/AC:L/Au:N/C:P/I:N/A:N Click to expand

Access vector (AV:L): Requires local access to the target system.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:N): No integrity impact.
Availability impact (A:N): No availability impact.

3.9

2.9

[email protected]

OS Trackers for CVE-2020-17521

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2020-17521 not yet assigned priority: Debian including 1 source packages (groovy), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2020-17521
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2020-17521
`suse`	medium	CVE-2020-17521 severity moderate: SUSE including 57 source package names (groovy-2.4.21-2.3, groovy-2.4.21-3.3.2, …), 134 product×package rows across 13 product lines (SUSE Linux Enterprise Module for Development Tools 15 SP2, SUSE Linux Enterprise Module for Development Tools 15 SP3, … (13 product lines)): Fixed 134.	https://www.suse.com/security/cve/CVE-2020-17521/
`ubuntu`	low	CVE-2020-17521 low priority: Ubuntu including 2 source packages (groovy, groovy2), 32 status rows across 16 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 15, ignored 8, needs-triage 7, needed 1, released 1.	https://ubuntu.com/security/CVE-2020-17521

Affected software / configurations for CVE-2020-17521

Vendor	Product	Version	Raw CPE
apache	groovy	>= 2.0.0, <= 2.4.20	cpe:2.3:a:apache:groovy::::::::
apache	groovy	>= 2.5.0, <= 2.5.13	cpe:2.3:a:apache:groovy::::::::
apache	groovy	>= 3.0.0, <= 3.0.6	cpe:2.3:a:apache:groovy::::::::
apache	groovy	4.0.0	cpe:2.3:a:apache:groovy:4.0.0:alpha1::::::
netapp	snapcenter	—	cpe:2.3:a:netapp:snapcenter:-:::::::*
oracle	agile_engineering_data_management	6.2.1.0	cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:::::::*
oracle	agile_plm	9.3.3	cpe:2.3:a:oracle:agile_plm:9.3.3:::::::*
oracle	agile_plm	9.3.6	cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
oracle	agile_plm_mcad_connector	3.4	cpe:2.3:a:oracle:agile_plm_mcad_connector:3.4:::::::*
oracle	agile_plm_mcad_connector	3.6	cpe:2.3:a:oracle:agile_plm_mcad_connector:3.6:::::::*
oracle	business_process_management_suite	12.2.1.3.0	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:::::::*
oracle	business_process_management_suite	12.2.1.4.0	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:::::::*
oracle	communications_brm_-_elastic_charging_engine	11.3.0.9.0	cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:11.3.0.9.0:::::::*
oracle	communications_brm_-_elastic_charging_engine	12.0.0.3	cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:::::::*
oracle	communications_diameter_signaling_router	8.4.0.0	cpe:2.3:a:oracle:communications_diameter_signaling_router:8.4.0.0:::::::*
oracle	communications_evolved_communications_application_server	7.1	cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:::::::*
oracle	communications_services_gatekeeper	6.0	cpe:2.3:a:oracle:communications_services_gatekeeper:6.0:::::::*
oracle	communications_services_gatekeeper	6.1	cpe:2.3:a:oracle:communications_services_gatekeeper:6.1:::::::*
oracle	communications_services_gatekeeper	7.0	cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:::::::*
oracle	healthcare_data_repository	7.0.2	cpe:2.3:a:oracle:healthcare_data_repository:7.0.2:::::::*
oracle	hospitality_opera_5	5.6	cpe:2.3:a:oracle:hospitality_opera_5:5.6:::::::*
oracle	ilearning	6.2	cpe:2.3:a:oracle:ilearning:6.2:::::::*
oracle	ilearning	6.3	cpe:2.3:a:oracle:ilearning:6.3:::::::*
oracle	insurance_policy_administration	>= 11.0, <= 11.3.1	cpe:2.3:a:oracle:insurance_policy_administration::::::::
oracle	jd_edwards_enterpriseone_orchestrator	9.2.6.0	cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2.6.0:::::::*
oracle	primavera_gateway	>= 17.12.0, <= 17.12.10	cpe:2.3:a:oracle:primavera_gateway::::::::
oracle	primavera_unifier	>= 17.7, <= 17.12	cpe:2.3:a:oracle:primavera_unifier::::::::
oracle	primavera_unifier	16.1	cpe:2.3:a:oracle:primavera_unifier:16.1:::::::*
oracle	primavera_unifier	16.2	cpe:2.3:a:oracle:primavera_unifier:16.2:::::::*
oracle	primavera_unifier	18.8	cpe:2.3:a:oracle:primavera_unifier:18.8:::::::*
oracle	primavera_unifier	19.12	cpe:2.3:a:oracle:primavera_unifier:19.12:::::::*
oracle	primavera_unifier	20.12	cpe:2.3:a:oracle:primavera_unifier:20.12:::::::*
oracle	retail_bulk_data_integration	15.0.3.0	cpe:2.3:a:oracle:retail_bulk_data_integration:15.0.3.0:::::::*
oracle	retail_bulk_data_integration	16.0.3.0	cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:::::::*
oracle	retail_merchandising_system	16.0.3	cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:::::::*
oracle	retail_store_inventory_management	14.1.3.10	cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3.10:::::::*
oracle	retail_store_inventory_management	15.0.3.5	cpe:2.3:a:oracle:retail_store_inventory_management:15.0.3.5:::::::*
oracle	retail_store_inventory_management	16.0.3.5	cpe:2.3:a:oracle:retail_store_inventory_management:16.0.3.5:::::::*
apache	atlas	2.1.0	cpe:2.3:a:apache:atlas:2.1.0:-::::::

References for CVE-2020-17521

URL	Tags
https://groovy-lang.org/security.html#CVE-2020-17521	Third Party Advisory
https://lists.apache.org/thread.html/r4b2f13c302eec98838ff7475253091fb9b75bc1038016ba00ebf6c08%40%3Cdev.atlas.apache.org%3E
https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465%40%3Cnotifications.groovy.apache.org%3E
https://lists.apache.org/thread.html/rea63a4666ba245d2892471307772a2d8ce0f0741f341d6576625c1b3%40%3Cdev.atlas.apache.org%3E
https://security.netapp.com/advisory/ntap-20201218-0006/	Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory

URL

CVE-2020-17521

Exploit prediction scoring system (EPSS) score for CVE-2020-17521

Common vulnerability scoring system (CVSS) metrics for CVE-2020-17521

Weakness enumeration for CVE-2020-17521

GitHub Security Advisory for CVE-2020-17521

OS Trackers for CVE-2020-17521

Affected software / configurations for CVE-2020-17521

References for CVE-2020-17521