CVE-2020-15250
Local information disclosure vulnerability in junit:junit

What is CVE-2020-15250 About?

This vulnerability is a local information disclosure flaw in the JUnit4 `TemporaryFolder` rule, affecting versions prior to 4.13.1 on Java 1.7+. It exposes sensitive data in temporary directories to other users on the same Unix-like system. Exploitation requires co-location with untrusted users and presence of sensitive data in temp folders, making it moderately complex and conditional.

Affected Software

Technical Details

The JUnit4 `TemporaryFolder` rule, specifically in versions before 4.13.1 (for Java 1.7+), contains a local information disclosure vulnerability. On Unix-like systems, the `TemporaryFolder` rule creates temporary directories with default permissions (`drwxr-xr-x`). This means that other users logged into the same system can read the contents of these directories. If sensitive information (e.g., API keys, passwords) is written by JUnit tests into these temporary folders, any co-located untrusted user on the same physical or virtual machine can access and read this information. The vulnerability does not allow for modification or overwriting of files, only unauthorized reading. The impact is significant if the tests execute in a multi-user environment (e.g., CI/CD) and handle sensitive data.

What is the Impact of CVE-2020-15250?

Successful exploitation may allow attackers to access sensitive information, such as API keys or passwords, leading to further compromises of systems and accounts.

What is the Exploitability of CVE-2020-15250?

Exploitation of this vulnerability requires several specific conditions: JUnit tests must be writing sensitive information to `TemporaryFolder`, and these tests must be executing on an operating system (like Unix-like systems) where the temporary directory is shared among users, particularly in an environment with untrusted co-located users (e.g., a shared CI/CD server). The complexity is moderate, as it relies on specific test practices and execution environments. No explicit authentication is required by the attacker beyond having a user account on the same system. This is a local attack, not remote. The likelihood of exploitation depends heavily on the type of data being processed by JUnit tests and the security posture of the execution environment. The vulnerability effectively becomes a critical risk factor if sensitive data is handled in a multi-user compute environment without proper isolation.

What are the Known Public Exploits?

What are the Available Fixes for CVE-2020-15250?

Available Upgrade Options

• junit:junit
  • >4.7, <4.13.1 → Upgrade to 4.13.1

Additional Resources

• https://lists.apache.org/thread.html/r29d703d1986d9b871466ff24082a1828ac8ad27bb0965a93a383872e%40%3Cpluto-scm.portals.apache.org%3E
• https://lists.apache.org/thread.html/r5f8841507576f595bb783ccec6a7cb285ea90d4e6f5043eae0e61a41@%3Cdev.creadur.apache.org%3E
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://lists.apache.org/thread.html/rf6e5d894d4b03bef537c9d6641272e0197c047c0d1982b4e176d0353%40%3Cdev.knox.apache.org%3E
• https://lists.apache.org/thread.html/rc49cf1547ef6cac1be4b3c92339b2cae0acacf5acaba13cfa429a872%40%3Cdev.creadur.apache.org%3E
• https://lists.apache.org/thread.html/r742b44fd75215fc75963b8ecc22b2e4372e68d67d3d859d2b5e8743f%40%3Cdev.knox.apache.org%3E
• https://lists.apache.org/thread.html/rde385b8b53ed046600ef68dd6b4528dea7566aaddb02c3e702cc28bc%40%3Ccommits.creadur.apache.org%3E
• https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md
• https://lists.debian.org/debian-lts-announce/2020/11/msg00003.html
• https://lists.apache.org/thread.html/rde8e70b95c992378e8570e4df400c6008a9839eabdfb8f800a3e5af6@%3Ccommits.pulsar.apache.org%3E

What are Similar Vulnerabilities to CVE-2020-15250?

Similar Vulnerabilities: CVE-2020-1945 , CVE-2020-15824 , CVE-2019-17498 , CVE-2019-10023 , CVE-2018-12543