CVE-2020-1945

CWE-668 — Exposure to Wrong Sphere CWE-377 CWE-200 — Information Exposure CWE-74 CWE-94 — Code Injection CWE-37922 documents10 sources

Severity

6.3MEDIUM

EPSS

0.0%

top 95.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle Timesten In-memory Database Apache ANT Oracle Banking Enterprise Collections +47 more

Timeline

PublishedMay 14

Latest updateJul 15

Description

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.0 | Impact: 5.2

Affected Packages51 packages

▶Mavenorg.apache.ant:ant1.1 — 1.9.15+1

▶NVDapache/ant1.1 — 1.9.14+1

▶NVDoracle/health_sciences_information_manager3.0 — 3.0.2

▶CVEListV5apache_antApache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7

▶NVDoracle/retail_back_office14.0, 14.1+1

Also affects: Fedora 31, 32, Ubuntu Linux 19.10

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Code injection in Apache Ant↗2021-02-03

▶

OSV

Sensitive Data Exposure in Apache Ant↗2020-09-14

▶

GHSA

Sensitive Data Exposure in Apache Ant↗2020-09-14

▶

OSV

CVE-2020-1945: Apache Ant 1↗2020-05-14

▶

CVEList

CVE-2020-1945: Apache Ant 1↗2020-05-14

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Third Party (Apache Ant) — CVE-2020-1945↗2024-07-15

▶

Oracle

Oracle Oracle Retail Applications Risk Matrix: Return Tickets (Apache Ant) — CVE-2020-1945↗2021-10-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Install, config, upgrade (Apache Ant) — CVE-2020-1945↗2021-07-15

▶

Oracle

Oracle Oracle Health Sciences Applications Risk Matrix: Health Record Locator (Apache Ant) — CVE-2020-1945↗2021-04-15

▶

Ubuntu

Apache Ant vulnerability↗2021-03-15

▶

💬Community

Bugzilla

CVE-2020-1945 ant:1.10/ant: insecure temporary file vulnerability [fedora-all]↗2020-05-19

▶

Bugzilla

CVE-2020-1945 ant: insecure temporary file vulnerability↗2020-05-19

▶

Bugzilla

CVE-2020-1945 ant: insecure temporary file vulnerability [fedora-all]↗2020-05-19

▶