CVE-2020-11979

CWE-379CWE-377CWE-74CWE-94Code Injection14 documents8 sources
Severity
7.5HIGH
EPSS
1.1%
top 21.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
37
Gradle GradleOracle Timesten In-memory DatabaseOracle Financial Services Analytical Applications Infrastructure+34 more
Timeline
PublishedOct 1
Latest updateJan 15

Description

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages39 packages

Mavenorg.apache.ant:ant< 1.10.9
CVEListV5apache_antApache Ant 1.10.8
NVDapache/ant1.10.8
NVDgradle/gradle< 6.8.0

Also affects: Fedora 31, 32, 33

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
Code injection in Apache Ant2021-02-03
OSV
Code injection in Apache Ant2021-02-03
OSV
CVE-2020-11979: As mitigation for CVE-2020-1945 Apache Ant 12020-10-01
CVEList
CVE-2020-11979: As mitigation for CVE-2020-1945 Apache Ant 12020-10-01

📋Vendor Advisories

9
Oracle
Oracle Oracle Utilities Applications Risk Matrix: Installation (Apache Ant) — CVE-2020-119792023-01-15
Oracle
Oracle Oracle Systems Risk Matrix: Software (Apache Ant) — CVE-2020-119792022-04-15
Oracle
Oracle Oracle TimesTen In-Memory Database Risk Matrix: Install (Apache Ant) — CVE-2020-119792022-01-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Capital Workflow (Apache Ant) — CVE-2020-119792021-07-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: Security Component (Apache Ant) — CVE-2020-119792021-04-15