CVE-2020-15250: 
Java vulnerability analysis and mitigation

The vulnerability CVE-2020-15250 affects JUnit4 versions from 4.7 to 4.13.1 and involves a local information disclosure vulnerability in the TemporaryFolder test rule. The issue was discovered and disclosed in October 2020, affecting Unix-like systems where the system's temporary directory is shared between all users (GitHub Advisory).

The vulnerability exists in the TemporaryFolder test rule implementation where files and directories created in the system's temporary directory are readable by other users on the same system by default. This occurs because the temporary directory is shared between all users on Unix-like systems. The vulnerability specifically affects the file permissions of the root temporary folder, which prior to the fix had permissions set to 'drwxr-xr-x' allowing other users to read the contents (GitHub Advisory).

This is purely an information disclosure vulnerability that could expose sensitive information if JUnit tests write sensitive data like API keys or passwords into the temporary folder. The vulnerability only impacts environments where the tests execute in a system with other untrusted users, such as CI/CD environments. The vulnerability does not allow other users to overwrite the contents of these directories or files (GitHub Advisory).

For Java 1.7 and higher users, the vulnerability is fixed in version 4.13.1. For Java 1.6 and lower users, no patch is available, but a workaround exists by specifying the 'java.io.tmpdir' system environment variable to a directory that is exclusively owned by the executing user. The fix for Java 1.7+ users changes the temporary folder permissions to 'drwx------' to restrict access (GitHub Advisory).