CVE-2020-15250

Name of the Vulnerable Software and Affected Versions JUnit4 versions 4.7 through 4.13.1

Description The issue is related to a local information disclosure vulnerability in the test rule TemporaryFolder of JUnit4. On Unix-like systems, the system's temporary directory is shared between all users, making files and directories written into this directory readable by other users on the same system. This vulnerability impacts JUnit tests that write sensitive information, such as API keys or passwords, into the temporary folder and execute in an environment with other untrusted users.

Recommendations For Java 1.7 and higher users: update to version 4.13.1 to fix the vulnerability. For Java 1.6 and lower users: no patch is available, specify the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user as a workaround. As a temporary workaround, consider restricting access to the temporary folder to minimize the risk of exploitation.