Vulnerability in Apache Beam
CVE-2020-27216
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated use…
EPSS: 0.043 (89.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.0 (High). Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Apache Beam — versions 2.21.0, 2.22.0, 2.23.0
- Eclipse Jetty — versions 10.0.0, 11.0.0
- Netapp Snapcenter
- Netapp Snap_creator_framework
- Netapp Storage_replication_adapter
- Netapp Vasa_provider
- Netapp Virtual_storage_console
- Oracle Communications_application_session_controller — versions 3.9m0p2
- Oracle Communications_converged_application_server_-_service_controller — versions 6.2
- Oracle Communications_element_manager
Weakness classification (CWE)
Public proof-of-concept exploits
References
- emo@eclipse.org (x_refsource_CONFIRM, Exploit, Patch, Vendor Advisory)
- emo@eclipse.org (x_refsource_CONFIRM, Exploit, Third Party Advisory, Mitigation)
- emo@eclipse.org (mailing-list, x_refsource_MLIST)
- emo@eclipse.org (mailing-list, x_refsource_MLIST)
- emo@eclipse.org (mailing-list, x_refsource_MLIST)
- emo@eclipse.org (mailing-list, x_refsource_MLIST)
- emo@eclipse.org (mailing-list, x_refsource_MLIST)
- emo@eclipse.org (mailing-list, x_refsource_MLIST)
- emo@eclipse.org (mailing-list, x_refsource_MLIST)
- emo@eclipse.org (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2020-27216?
- CVE-2020-27216 is a high-severity vulnerability in Apache Beam, classified under Creation of Temporary File With Insecure Permissions. CVSS score: 7.0/10. Published 2020-10-23.
- How severe is CVE-2020-27216?
- High severity. CVSS v3 base score is 7.0 out of 10.
- Is CVE-2020-27216 known to be exploited?
- 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.