Main Vulnerability Database SB2021052423

SB2021052423 - Fedora 35 update for apache-commons-beanutils, apache-commons-cli, apache-commons-codec, apache-commons-collections, apache-commons-compress, apache-commons-io, apache-commons-jxpath, apache-commons-lang3, apache-commons-logging, apache-commons-parent, ap

Published: May 24, 2021

Security Bulletin ID SB2021052423

Severity

High

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Incorrect default permissions (CVE-ID: CVE-2020-8908)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for files located in the temporary directory set by the Guava com.google.common.io.Files.createTempDir(). A local user with access to the system can view contents of files and directories or modify them.

2) Code Injection (CVE-ID: CVE-2020-13936)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker with ability to modify Velocity templates can inject and execute arbitrary Java code on the system with the same privileges as the account running the Servlet container.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2021-bcbca49b6d

Vulnerable Software

Fedora: 35
xz-java: before 1.8-11.fc35
xmvn: before 4.0.0~20191028.da67577-6.fc35
xmlunit: before 2.8.2-2.fc35
xbean: before 4.18-2.fc35
velocity: before 1.7-35.fc35
univocity-parsers: before 2.9.1-2.fc35
testng: before 7.3.0-2.fc35
slf4j: before 1.7.30-9.fc35
sisu-mojos: before 0.3.4-7.fc35
sisu: before 0.3.4-5.fc35
qdox: before 2.0.0-5.fc35
plexus-utils: before 3.3.0-6.fc35
plexus-sec-dispatcher: before 1.4-33.fc35
plexus-resources: before 1.1.0-6.fc35
plexus-pom: before 7-2.fc35
plexus-languages: before 1.0.6-2.fc35
plexus-io: before 3.2.0-6.fc35
plexus-interpolation: before 1.26-7.fc35
plexus-containers: before 2.1.0-6.fc35
plexus-components-pom: before 6.5-3.fc35
plexus-compiler: before 2.8.8-2.fc35
plexus-classworlds: before 2.6.0-7.fc35
plexus-cipher: before 1.7-23.fc35
plexus-build-api: before 0.0.7-32.fc35
plexus-archiver: before 4.2.4-2.fc35
osgi-core: before 8.0.0-2.fc35
osgi-compendium: before 7.0.0-9.fc35
osgi-annotation: before 8.0.0-2.fc35
opentest4j: before 1.2.0-6.fc35
objenesis: before 3.1-6.fc35
objectweb-asm: before 9.1-2.fc35
munge-maven-plugin: before 1.0-20.fc35
mojo-parent: before 60-2.fc35
modello: before 1.11-5.fc35
mockito: before 3.7.13-2.fc35
maven-wagon: before 3.4.2-2.fc35
maven-surefire: before 3.0.0~M4-2.fc35
maven-source-plugin: before 3.2.1-5.fc35
maven-shared-utils: before 3.3.3-2.fc35
maven-shared-io: before 3.0.0-13.fc35
maven-shared-incremental: before 1.1-22.fc35
maven-resources-plugin: before 3.2.0-3.fc35
maven-resolver: before 1.6.1-2.fc35
maven-remote-resources-plugin: before 1.7.0-5.fc35
maven-plugin-tools: before 3.6.0-9.fc35
maven-plugin-testing: before 3.3.0-20.fc35
maven-plugin-bundle: before 5.1.1-2.fc35
maven-plugin-build-helper: before 3.2.0-4.fc35
maven-parent: before 34-7.fc35
maven-jar-plugin: before 3.2.0-6.fc35
maven-filtering: before 3.2.0-2.fc35
maven-file-management: before 3.0.0-13.fc35
maven-enforcer: before 3.0.0~M3-5.fc35
maven-dependency-tree: before 3.0.1-7.fc35
maven-dependency-plugin: before 3.1.2-6.fc35
maven-dependency-analyzer: before 1.11.3-3.fc35
maven-compiler-plugin: before 3.8.1-9.fc35
maven-common-artifact-filters: before 3.1.1-2.fc35
maven-assembly-plugin: before 3.3.0-5.fc35
maven-artifact-transfer: before 0.13.1-2.fc35
maven-archiver: before 3.5.1-2.fc35
maven-antrun-plugin: before 3.0.0-2.fc35
maven: before 3.6.3-9.fc35
junit5: before 5.7.1-2.fc35
junit: before 4.13.1-2.fc35
jsr-305: before 3.0.2-2.fc35
jsoup: before 1.13.1-6.fc35
jflex: before 1.7.0-6.fc35
jdom2: before 2.0.6-22.fc35
jdom: before 1.1.3-25.fc35
javapackages-tools: before 6.0.0~alpha-6.fc35
java_cup: before 0.11b-17.fc35
jansi: before 2.1.1-4.fc35
jakarta-servlet: before 5.0.0-6.fc35
jakarta-annotations: before 1.3.5-8.fc35
httpcomponents-project: before 12-3.fc35
httpcomponents-core: before 4.4.13-3.fc35
httpcomponents-client: before 4.5.11-3.fc35
hamcrest: before 2.2-3.fc35
guava: before 30.1-2.fc35
google-guice: before 4.2.3-5.fc35
fusesource-pom: before 1.12-7.fc35
felix-utils: before 1.11.6-2.fc35
felix-parent: before 7-5.fc35
easymock: before 4.2-3.fc35
cglib: before 3.3.0-3.fc35
cdi-api: before 2.0.2-2.fc35
byte-buddy: before 1.10.20-2.fc35
beust-jcommander: before 1.78-6.fc35
atinject: before 1.0.3-2.fc35
assertj-core: before 3.19.0-2.fc35
aqute-bnd: before 5.2.0-2.fc35
apiguardian: before 1.1.1-2.fc35
apache-resource-bundles: before 30-2.fc35
apache-parent: before 23-5.fc35
apache-commons-parent: before 52-3.fc35
apache-commons-logging: before 1.2-26.fc35
apache-commons-lang3: before 3.12.0-2.fc35
apache-commons-jxpath: before 1.3-39.fc35
apache-commons-io: before 2.8.0-4.fc35
apache-commons-compress: before 1.20-6.fc35
apache-commons-collections: before 3.2.2-23.fc35
apache-commons-codec: before 1.15-3.fc35
apache-commons-cli: before 1.4-13.fc35
apache-commons-beanutils: before 1.9.4-6.fc35

SB2021052423 - Fedora 35 update for apache-commons-beanutils, apache-commons-cli, apache-commons-codec, apache-commons-collections, apache-commons-compress, apache-commons-io, apache-commons-jxpath, apache-commons-lang3, apache-commons-logging, apache-commons-parent, ap

Breakdown by Severity

Description

Remediation

References

Please verify you're human