This vulnerability exists due to a vulnerable method in the Apache Groovy Stdlib. See CVE-2020-17521.

https://github.com/grails/grails-core/blob/bde047607fe4f04face70a53cfc9a45747b9c611/grails-shell/src/main/groovy/org/grails/cli/profile/commands/CreateAppCommand.groovy#L365

Impact

This vulnerability may impacts Grails users creating applications using the create-app command on shared Linux-like systems.

Workarounds

Setting the java.io.tmpdir system environment variable to a directory that is exclusively owned by the Grails user will fix this vulnerability.

References

1. CWE-379: Creation of Temporary File in Directory with Insecure Permissions (https://cwe.mitre.org/data/definitions/379.html)
2. File.createTempFile should not be used to create a directory (https://rules.sonarsource.com/java/tag/owasp/RSPEC-2976)
3. Apache Groovy CVE-2020-17521
4. https://docs.groovy-lang.org/latest/html/groovy-jdk/java/io/File.html#createTempDir()
5. https://docs.groovy-lang.org/latest/html/groovy-jdk/java/io/File.html#createTempDir(java.lang.String,%20java.lang.String)

Credit

This vulnerability was discovered by Jonathan Leitschuh