diff --git a/CVE-2020-17521.patch b/CVE-2020-17521.patch
new file mode 100644
index 0000000000000000000000000000000000000000..703d96b5ac92841ac18eab98cbda3e482db219a9
--- /dev/null
+++ b/CVE-2020-17521.patch
@@ -0,0 +1,81 @@
+From 24a2441ad715cda26c9cae9febb36cdb51983092 Mon Sep 17 00:00:00 2001
+From: Paul King <paulk@asert.com.au>
+Date: Fri, 5 Feb 2021 10:15:52 +0800
+Subject: [PATCH] use newer api for creating temp dir
+
+---
+ .../runtime/DefaultGroovyStaticMethods.java   | 48 ++++++-------------
+ 1 file changed, 14 insertions(+), 34 deletions(-)
+
+diff --git a/src/main/org/codehaus/groovy/runtime/DefaultGroovyStaticMethods.java b/src/main/org/codehaus/groovy/runtime/DefaultGroovyStaticMethods.java
+index 9e4ce31..61414b2 100644
+--- a/src/main/org/codehaus/groovy/runtime/DefaultGroovyStaticMethods.java
++++ b/src/main/org/codehaus/groovy/runtime/DefaultGroovyStaticMethods.java
+@@ -24,6 +24,8 @@ import java.io.File;
+ import java.io.IOException;
+ import java.text.ParseException;
+ import java.text.SimpleDateFormat;
++import java.nio.file.Files;
++import java.nio.file.Path;
+ import java.util.Date;
+ import java.util.ResourceBundle;
+ import java.util.Locale;
+@@ -261,43 +263,21 @@ public class DefaultGroovyStaticMethods {
+     }
+ 
+     public static File createTempDir(File self) throws IOException {
+-        return createTempDir(self, "groovy-generated-", "-tmpdir");
++	return createTempDir(self, "groovy-generated-", "tmpdir-");
++    }
++
++    public static File createTempDir(File self, final String prefix) throws IOException {
++	return createTempDirNio(prefix);
+     }
+ 
+     public static File createTempDir(File self, final String prefix, final String suffix) throws IOException {
+-        final int MAXTRIES = 3;
+-        int accessDeniedCounter = 0;
+-        File tempFile=null;
+-        for (int i=0; i<MAXTRIES; i++) {
+-            try {
+-                tempFile = File.createTempFile(prefix, suffix);
+-                tempFile.delete();
+-                tempFile.mkdirs();
+-                break;
+-            } catch (IOException ioe) {
+-                if (ioe.getMessage().startsWith("Access is denied")) {
+-                    accessDeniedCounter++;
+-                    try { Thread.sleep(100); } catch (InterruptedException e) {}
+-                }
+-                if (i==MAXTRIES-1) {
+-                    if (accessDeniedCounter==MAXTRIES) {
+-                        String msg =
+-                                "Access is denied.\nWe tried " +
+-                                        + accessDeniedCounter+
+-                                        " times to create a temporary directory"+
+-                                        " and failed each time. If you are on Windows"+
+-                                        " you are possibly victim to"+
+-                                        " http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6325169. "+
+-                                        " this is no bug in Groovy.";
+-                        throw new IOException(msg);
+-                    } else {
+-                        throw ioe;
+-                    }
+-                }
+-                continue;
+-            }
+-        }
+-        return tempFile;
++	// more secure Files api doesn't support suffix, so just append it to the prefix
++        return createTempDirNio(prefix + suffix);
++    }
++
++    private static File createTempDirNio(String prefix) throws IOException {
++	Path tempPath = Files.createTempDirectory(prefix);
++	return tempPath.toFile();
+     }
+ 
+   /**
+-- 
+2.23.0
+
diff --git a/groovy.spec b/groovy.spec
index 67e7ad1e7a1ddfc24315ba4c8ef130574f0cc65d..bf7050d792cdf4c78889bbf1b4c0696a34779ac1 100644
--- a/groovy.spec
+++ b/groovy.spec
@@ -1,8 +1,8 @@
 Name:           groovy
 Version:        2.4.8
-Release:        8
+Release:        9
 Summary:        Dynamic language for the Java Platform
-License:        ASL 2.0 and BSD and EPL and Public Domain and CC-BY
+License:        ASL 2.0 and BSD and EPL-1.0 and Public Domain and ANTLR-PD and MIT
 URL:            http://groovy-lang.org
 Source0:        https://dl.bintray.com/groovy/maven/apache-groovy-src-%{version}.zip
 Source1:        groovy-script.sh
@@ -17,6 +17,7 @@ Patch3:         0004-Remove-android-support.patch
 Patch4:         0005-Update-to-QDox-2.0.patch
 Patch5:         0006-Disable-artifactory-publish.patch
 Patch6:         0007-Fix-missing-extension-definitions.patch
+Patch7:         CVE-2020-17521.patch
 
 BuildRequires:  gradle-local >= 2.1-0.9 javapackages-local java-devel >= 1.8 ant antlr-tool ant-antlr
 BuildRequires:  aqute-bnd gpars multiverse apache-parent testng jline apache-commons-cli apache-commons-beanutils
@@ -189,5 +190,8 @@ EOF
 %doc LICENSE NOTICE README.adoc
 
 %changelog
+* Thu Feb 04 2021 wangyue <wangyue92@huawei.com> 2.4.8-9
+- fix CVE-2020-17521
+
 * Thu Dec 7 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.4.8-8
 - Package init