Groovy Apache Groovy

Do you want an email whenever new security vulnerabilities are reported in Apache Groovy?

By the Year

In 2022 there have been 0 vulnerabilities in Apache Groovy . Groovy did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2022 0 0.00
2021 0 0.00
2020 2 7.15
2019 0 0.00
2018 1 9.80

It may take a day or so for new Groovy vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Groovy Security Vulnerabilities

Apache Groovy provides extension methods to aid with creating temporary directories

CVE-2020-17521 5.5 - Medium - December 07, 2020

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

In JetBrains Kotlin from 1.4-M1 to 1.4-RC (as Kotlin 1.3.7x is not affected by the issue

CVE-2020-15824 8.8 - High - August 08, 2020

In JetBrains Kotlin from 1.4-M1 to 1.4-RC (as Kotlin 1.3.7x is not affected by the issue. Fixed version is 1.4.0) there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.

Improper Privilege Management

When an application with unsupported Codehaus versions of Groovy

CVE-2016-6814 9.8 - Critical - January 18, 2018

When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.

Marshaling, Unmarshaling

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3

CVE-2015-3253 9.8 - Critical - August 13, 2015

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

Injection

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Oracle Webcenter Sites or by Apache? Click the Watch button to subscribe.

Apache
Vendor

Apache Groovy
Product

subscribe