CVE-2020-11979
Summary
| CVE | CVE-2020-11979 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-10-01 20:15:00 UTC |
| Updated | 2023-11-07 03:15:00 UTC |
| Description | As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process. |
Risk And Classification
Problem Types: NVD-CWE-Other
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Ant | 1.10.8 | All | All | All |
| Application | Apache | Ant | 1.10.8 | All | All | All |
| Operating System | Fedoraproject | Fedora | 31 | All | All | All |
| Operating System | Fedoraproject | Fedora | 32 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Operating System | Fedoraproject | Fedora | 31 | All | All | All |
| Operating System | Fedoraproject | Fedora | 32 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Application | Gradle | Gradle | All | All | All | All |
| Application | Gradle | Gradle | All | All | All | All |
| Application | Oracle | Agile Engineering Data Management | 6.2.1.0 | All | All | All |
| Application | Oracle | Api Gateway | 11.1.2.4.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.4.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.4.1 | All | All | All |
| Application | Oracle | Banking Platform | 2.6.2 | All | All | All |
| Application | Oracle | Banking Platform | 2.7.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.7.1 | All | All | All |
| Application | Oracle | Banking Platform | 2.8.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.4.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.4.1 | All | All | All |
| Application | Oracle | Banking Platform | 2.6.2 | All | All | All |
| Application | Oracle | Banking Platform | 2.7.0 | All | All | All |
| Application | Oracle | Banking Platform | 2.7.1 | All | All | All |
| Application | Oracle | Banking Platform | 2.8.0 | All | All | All |
| Application | Oracle | Banking Treasury Management | 14.4 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.4.0 | All | All | All |
| Application | Oracle | Communications Unified Inventory Management | 7.4.1 | All | All | All |
| Application | Oracle | Data Integrator | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Data Integrator | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Endeca Information Discovery Studio | 3.2.0.0 | All | All | All |
| Application | Oracle | Enterprise Repository | 11.1.1.7.0 | All | All | All |
| Application | Oracle | Enterprise Repository | 11.1.1.7.0 | All | All | All |
| Application | Oracle | Financial Services Analytical Applications Infrastructure | 8.1.0 | All | All | All |
| Application | Oracle | Financial Services Analytical Applications Infrastructure | 8.1.1 | All | All | All |
| Application | Oracle | Financial Services Analytical Applications Infrastructure | All | All | All | All |
| Application | Oracle | Financial Services Analytical Applications Infrastructure | All | All | All | All |
| Application | Oracle | Flexcube Private Banking | 12.0.0 | All | All | All |
| Application | Oracle | Flexcube Private Banking | 12.1.0 | All | All | All |
| Application | Oracle | Primavera Gateway | All | All | All | All |
| Application | Oracle | Primavera Gateway | All | All | All | All |
| Application | Oracle | Primavera Unifier | 16.1 | All | All | All |
| Application | Oracle | Primavera Unifier | 16.2 | All | All | All |
| Application | Oracle | Primavera Unifier | 18.8 | All | All | All |
| Application | Oracle | Primavera Unifier | 19.12 | All | All | All |
| Application | Oracle | Primavera Unifier | 20.12 | All | All | All |
| Application | Oracle | Primavera Unifier | 16.1 | All | All | All |
| Application | Oracle | Primavera Unifier | 16.2 | All | All | All |
| Application | Oracle | Primavera Unifier | 18.8 | All | All | All |
| Application | Oracle | Primavera Unifier | 19.12 | All | All | All |
| Application | Oracle | Primavera Unifier | 20.12 | All | All | All |
| Application | Oracle | Primavera Unifier | All | All | All | All |
| Application | Oracle | Real-time Decision Server | 11.1.1.9.0 | All | All | All |
| Application | Oracle | Real-time Decision Server | 3.2.0.0 | All | All | All |
| Application | Oracle | Retail Advanced Inventory Planning | 14.1 | All | All | All |
| Application | Oracle | Retail Assortment Planning | 16.0.3 | All | All | All |
| Application | Oracle | Retail Category Management Planning Optimization | 16.0.3 | All | All | All |
| Application | Oracle | Retail Eftlink | 19.0.1 | All | All | All |
| Application | Oracle | Retail Eftlink | 20.0.0 | All | All | All |
| Application | Oracle | Retail Financial Integration | 14.1.3 | All | All | All |
| Application | Oracle | Retail Financial Integration | 15.0.3 | All | All | All |
| Application | Oracle | Retail Financial Integration | 16.0.3 | All | All | All |
| Application | Oracle | Retail Financial Integration | 14.1.3 | All | All | All |
| Application | Oracle | Retail Financial Integration | 15.0.3 | All | All | All |
| Application | Oracle | Retail Financial Integration | 16.0.3 | All | All | All |
| Application | Oracle | Retail Integration Bus | 15.0.3 | All | All | All |
| Application | Oracle | Retail Integration Bus | 15.0.3 | All | All | All |
| Application | Oracle | Retail Item Planning | 16.0.3 | All | All | All |
| Application | Oracle | Retail Macro Space Optimization | 16.0.3 | All | All | All |
| Application | Oracle | Retail Merchandise Financial Planning | 16.0.3 | All | All | All |
| Application | Oracle | Retail Merchandising System | 14.1.3.2 | All | All | All |
| Application | Oracle | Retail Merchandising System | 16.0.3 | All | All | All |
| Application | Oracle | Retail Predictive Application Server | 14.1 | All | All | All |
| Application | Oracle | Retail Regular Price Optimization | 16.0.3 | All | All | All |
| Application | Oracle | Retail Replenishment Optimization | 16.0.3 | All | All | All |
| Application | Oracle | Retail Service Backbone | 14.1.3 | All | All | All |
| Application | Oracle | Retail Service Backbone | 15.0.3 | All | All | All |
| Application | Oracle | Retail Service Backbone | 16.0.3 | All | All | All |
| Application | Oracle | Retail Service Backbone | 14.1.3 | All | All | All |
| Application | Oracle | Retail Service Backbone | 15.0.3 | All | All | All |
| Application | Oracle | Retail Service Backbone | 16.0.3 | All | All | All |
| Application | Oracle | Retail Size Profile Optimization | 16.0.3 | All | All | All |
| Application | Oracle | Retail Store Inventory Management | 14.1.3.9 | All | All | All |
| Application | Oracle | Retail Store Inventory Management | 15.0.3.0 | All | All | All |
| Application | Oracle | Retail Store Inventory Management | 16.0.3.0 | All | All | All |
| Application | Oracle | Retail Store Inventory Management | 14.1.3.9 | All | All | All |
| Application | Oracle | Retail Store Inventory Management | 15.0.3.0 | All | All | All |
| Application | Oracle | Retail Store Inventory Management | 16.0.3.0 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 15.0.4 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 16.0.6 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 17.0.4 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 18.0.3 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 19.0.2 | All | All | All |
| Application | Oracle | Storagetek Acsls | 8.5.1 | All | All | All |
| Application | Oracle | Storagetek Tape Analytics | 2.4 | All | All | All |
| Application | Oracle | Timesten In-memory Database | All | All | All | All |
| Application | Oracle | Utilities Framework | 4.3.0.5.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.3.0.6.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.0.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.2.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| CVE-2020-11979: Apache Ant insecure temporary file vulnerability · Advisory · gradle/gradle · GitHub | MISC | github.com | Third Party Advisory |
| [SECURITY] Fedora 31 Update: ant-1.10.9-1.fc31 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| [SECURITY] Fedora 33 Update: ant-1.10.9-1.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Oracle Critical Patch Update Advisory - April 2022 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Oracle Critical Patch Update Advisory - July 2021 | N/A | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - October 2021 | MISC | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| [creadur-dev] 20210621 [jira] [Commented] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979 / raise compiler level to JDK8 | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| [SECURITY] Fedora 33 Update: ant-1.10.9-1.fc33 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MISC | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| [SECURITY] Fedora 32 Update: ant-1.10.9-1.fc32 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [SECURITY] Fedora 31 Update: ant-1.10.9-1.fc31 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Patch, Vendor Advisory |
| Apache Ant: Insecure temporary file (GLSA 202011-18) — Gentoo security | GENTOO | security.gentoo.org | Third Party Advisory |
| [SECURITY] Fedora 32 Update: ant-1.10.9-1.fc32 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| Oracle Critical Patch Update Advisory - April 2021 | MISC | www.oracle.com | |
| Oracle Critical Patch Update Advisory - January 2021 | MISC | www.oracle.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 501176 Alpine Linux Security Update for apache-ant
- 501863 Alpine Linux Security Update for gradle
- 504582 Alpine Linux Security Update for apache-ant
- 752811 SUSE Enterprise Linux Security Update for ant (SUSE-SU-2022:4022-1)
- 770050 Red Hat OpenShift Container Platform Security and Packages Update 4.6.17 (RHSA-2021:0423)
- 770051 Red Hat OpenShift Container Platform 4.5.33 Packages and Security Update (RHSA-2021:0429)
- 770099 Red Hat OpenShift Container Platform 4.5 Security Update (RHSA-2021-0429)
- 770122 Red Hat OpenShift Container Platform 4.6 Security Update (RHSA-2021-0423)
- 900118 CBL-Mariner Linux Security Update for ant 1.10.8
- 902839 Common Base Linux Mariner (CBL-Mariner) Security Update for ant (3125)
- 980325 Java (maven) Security Update for org.apache.ant:ant (GHSA-f62v-xpxf-3v68)