Auto-merge PR#5016

2025-07-29 05:56:59 +00:00 · 2020-10-12 13:55:19 -04:00 · 2020-10-12 13:55:19 -04:00 · eed762e444
commit eed762e444
parent f5963f41dc 50434ec186
1 changed files with 86 additions and 6 deletions
--- a/2020/15xxx/CVE-2020-15250.json
+++ b/2020/15xxx/CVE-2020-15250.json
@ -1,18 +1,98 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-15250",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Information disclosure in JUnit4"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "junit4",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "< 4.13.1"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "junit-team"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "In JUnit4 before version 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability.\n\nOn Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.\n\nThis vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability.\n\nThis vulnerability impacts you if  the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. \n\nBecause certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using.\nFor Java 1.7 and higher users: this vulnerability is fixed in 4.13.1.\nFor Java 1.6 and lower users: no patch is available, you must use the workaround below.\n\nIf you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability.  \n\nFor more information, including an example of vulnerable code, see the referenced GitHub Security Advisory."
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "HIGH",
+            "attackVector": "LOCAL",
+            "availabilityImpact": "NONE",
+            "baseScore": 4.4,
+            "baseSeverity": "MEDIUM",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "NONE",
+            "privilegesRequired": "LOW",
+            "scope": "UNCHANGED",
+            "userInteraction": "REQUIRED",
+            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp"
+            },
+            {
+                "name": "https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae",
+                "refsource": "MISC",
+                "url": "https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae"
+            },
+            {
+                "name": "https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md",
+                "refsource": "MISC",
+                "url": "https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md"
+            },
+            {
+                "name": "https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html",
+                "refsource": "MISC",
+                "url": "https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-269g-pwp5-87pp",
+        "discovery": "UNKNOWN"
    }
 }