Advisory ROSA-SA-2021-1857

Software: junit 4.11
OS: Cobalt 7.9

CVE-ID: CVE-2020-15250
CVE-Crit: MEDIUM
CVE-DESC: In JUnit4, from version 4.7 through 4.13.1, the TemporaryFolder test rule contains a local information disclosure vulnerability. In Unix-like systems, a system’s temporary directory is shared by all users on that system. Because of this, when files and directories are written to this directory, they are by default readable by other users on the same system. This vulnerability prevents other users from overwriting the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability affects you if JUnit tests write sensitive information, such as API keys or passwords, to a temporary folder and JUnit tests are executed in an environment where there are other untrusted users on the OS. Because some JDK file system APIs were only added in JDK 1.7, this fix depends on the version of the JDK you are using. For users of Java 1.7 and above: this vulnerability is fixed in version 4.13.1. For users of Java 1.6 and below: a patch is not available, you must use the workaround described below. If you cannot patch or are stuck on Java 1.6, specifying the system environment variable java.io.tmpdir in a directory that belongs exclusively to the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory document.
CVE-STATUS: default
CVE-REV: default