CVE-2020-11979 – org.apache.ant:ant

Package

Manager: maven
Name: org.apache.ant:ant
Vulnerable Version: =1.10.8 || >=1.10.8 <1.10.9

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00827 pctl0.73618

Details

Code injection in Apache Ant As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

Metadata

Created: 2021-02-03T19:16:35Z
Modified: 2024-04-02T19:23:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-f62v-xpxf-3v68/GHSA-f62v-xpxf-3v68.json
CWE IDs: ["CWE-74", "CWE-94"]
Alternative ID: GHSA-f62v-xpxf-3v68
Finding: F184
Auto approve: 1