SCA: security update for junit:junit (GHSA-269g-pwp5-87pp)

medium Tenable Cloud Security Plugin ID 408730

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information
disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all
users on that system. Because of this, when files and directories are written into this directory they
are, by default, readable by other users on that same system. This vulnerability does not allow other
users to overwrite the contents of these directories or files. This is purely an information disclosure
vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API
keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS
has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix
is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability
is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround
below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir`
system environment variable to a directory that is exclusively owned by the executing user will fix this
vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub
Security Advisory. (CVE-2020-15250)

See Also

https://github.com/advisories/GHSA-269g-pwp5-87pp

Plugin Details

Severity: Medium

ID: 408730

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 1/26/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Low

Base Score: 1.9

Temporal Score: 1.5

Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2020-15250

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/12/2020

Vulnerability Publication Date: 10/12/2020

Reference Information

CVE: CVE-2020-15250