CVE-2020-1945
Summary
| CVE | CVE-2020-1945 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-05-14 16:15:00 UTC |
| Updated | 2023-11-07 03:19:00 UTC |
| Description | Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. |
Risk And Classification
Problem Types: CWE-668
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Ant | All | All | All | All |
| Application | Apache | Ant | All | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 19.10 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 19.10 | All | All | All |
| Operating System | Fedoraproject | Fedora | 31 | All | All | All |
| Operating System | Fedoraproject | Fedora | 32 | All | All | All |
| Operating System | Fedoraproject | Fedora | 31 | All | All | All |
| Operating System | Fedoraproject | Fedora | 32 | All | All | All |
| Operating System | Opensuse | Leap | 15.2 | All | All | All |
| Application | Oracle | Agile Engineering Data Management | 6.2.1.0 | All | All | All |
| Application | Oracle | Banking Enterprise Collections | All | All | All | All |
| Application | Oracle | Banking Liquidity Management | All | All | All | All |
| Application | Oracle | Banking Platform | All | All | All | All |
| Application | Oracle | Business Process Management Suite | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Business Process Management Suite | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Category Management Planning Optimization | 15.0.3 | All | All | All |
| Application | Oracle | Communications Asap | 7.3 | All | All | All |
| Application | Oracle | Communications Diameter Signaling Router | All | All | All | All |
| Application | Oracle | Communications Metasolv Solution | 6.3.0 | All | All | All |
| Application | Oracle | Communications Order And Service Management | 7.3 | All | All | All |
| Application | Oracle | Communications Order And Service Management | 7.4 | All | All | All |
| Application | Oracle | Data Integrator | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Data Integrator | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Endeca Information Discovery Studio | 3.2.0 | All | All | All |
| Application | Oracle | Enterprise Manager Ops Center | 12.4.0.0 | All | All | All |
| Application | Oracle | Enterprise Repository | 11.1.1.7.0 | All | All | All |
| Application | Oracle | Financial Services Analytical Applications Infrastructure | All | All | All | All |
| Application | Oracle | Flexcube Investor Servicing | 12.1.0 | All | All | All |
| Application | Oracle | Flexcube Investor Servicing | 12.3.0 | All | All | All |
| Application | Oracle | Flexcube Investor Servicing | 12.4.0 | All | All | All |
| Application | Oracle | Flexcube Investor Servicing | 14.0.0 | All | All | All |
| Application | Oracle | Flexcube Investor Servicing | 14.1.0 | All | All | All |
| Application | Oracle | Flexcube Private Banking | 12.0.0 | All | All | All |
| Application | Oracle | Flexcube Private Banking | 12.1.0 | All | All | All |
| Application | Oracle | Health Sciences Information Manager | All | All | All | All |
| Application | Oracle | Primavera Gateway | All | All | All | All |
| Application | Oracle | Primavera Gateway | All | All | All | All |
| Application | Oracle | Primavera Unifier | 16.1 | All | All | All |
| Application | Oracle | Primavera Unifier | 16.2 | All | All | All |
| Application | Oracle | Primavera Unifier | 18.8 | All | All | All |
| Application | Oracle | Primavera Unifier | 19.12 | All | All | All |
| Application | Oracle | Primavera Unifier | All | All | All | All |
| Application | Oracle | Rapid Planning | 12.1 | All | All | All |
| Application | Oracle | Rapid Planning | 12.2 | All | All | All |
| Application | Oracle | Real-time Decision Server | 3.2.1.0 | All | All | All |
| Application | Oracle | Retail Advanced Inventory Planning | 14.1 | All | All | All |
| Application | Oracle | Retail Advanced Inventory Planning | 15.0 | All | All | All |
| Application | Oracle | Retail Advanced Inventory Planning | 16.0 | All | All | All |
| Application | Oracle | Retail Assortment Planning | 15.0.3 | All | All | All |
| Application | Oracle | Retail Assortment Planning | 16.0.3 | All | All | All |
| Application | Oracle | Retail Back Office | 14.0 | All | All | All |
| Application | Oracle | Retail Back Office | 14.1 | All | All | All |
| Application | Oracle | Retail Bulk Data Integration | 15.0 | All | All | All |
| Application | Oracle | Retail Bulk Data Integration | 16.0 | All | All | All |
| Application | Oracle | Retail Bulk Data Integration | 16.0.3.0 | All | All | All |
| Application | Oracle | Retail Bulk Data Integration | 19.0.1 | All | All | All |
| Application | Oracle | Retail Central Office | 14.0 | All | All | All |
| Application | Oracle | Retail Central Office | 14.1 | All | All | All |
| Application | Oracle | Retail Data Extractor For Merchandising | 1.10 | All | All | All |
| Application | Oracle | Retail Data Extractor For Merchandising | 1.9 | All | All | All |
| Application | Oracle | Retail Extract Transform And Load | 13.2.5 | All | All | All |
| Application | Oracle | Retail Extract Transform And Load | 13.2.8 | All | All | All |
| Application | Oracle | Retail Financial Integration | 14.1.3.2 | All | All | All |
| Application | Oracle | Retail Financial Integration | 15.0 | All | All | All |
| Application | Oracle | Retail Financial Integration | 15.0.4.0 | All | All | All |
| Application | Oracle | Retail Financial Integration | 16.0 | All | All | All |
| Application | Oracle | Retail Financial Integration | 16.0.3.0 | All | All | All |
| Application | Oracle | Retail Integration Bus | 14.1 | All | All | All |
| Application | Oracle | Retail Integration Bus | 14.1.3.2 | All | All | All |
| Application | Oracle | Retail Integration Bus | 15.0 | All | All | All |
| Application | Oracle | Retail Integration Bus | 15.0.4.0 | All | All | All |
| Application | Oracle | Retail Integration Bus | 16.0 | All | All | All |
| Application | Oracle | Retail Integration Bus | 16.0.3.0 | All | All | All |
| Application | Oracle | Retail Integration Bus | 19.0.1.0 | All | All | All |
| Application | Oracle | Retail Item Planning | 15.0.3 | All | All | All |
| Application | Oracle | Retail Macro Space Optimization | 15.0.3 | All | All | All |
| Application | Oracle | Retail Merchandise Financial Planning | 15.0.3 | All | All | All |
| Application | Oracle | Retail Merchandising System | 19.0.1 | All | All | All |
| Application | Oracle | Retail Point-of-service | 14.0 | All | All | All |
| Application | Oracle | Retail Point-of-service | 14.1 | All | All | All |
| Application | Oracle | Retail Point-of-service | 15.0 | All | All | All |
| Application | Oracle | Retail Point-of-service | 16.0 | All | All | All |
| Application | Oracle | Retail Predictive Application Server | 14.0.3 | All | All | All |
| Application | Oracle | Retail Predictive Application Server | 14.1.3 | All | All | All |
| Application | Oracle | Retail Predictive Application Server | 15.0.3 | All | All | All |
| Application | Oracle | Retail Predictive Application Server | 16.0.3 | All | All | All |
| Application | Oracle | Retail Predictive Application Server | 16.0.3.0 | All | All | All |
| Application | Oracle | Retail Regular Price Optimization | 15.0.3 | All | All | All |
| Application | Oracle | Retail Regular Price Optimization | 16.0.3 | All | All | All |
| Application | Oracle | Retail Replenishment Optimization | 15.0.3 | All | All | All |
| Application | Oracle | Retail Returns Management | 14.0 | All | All | All |
| Application | Oracle | Retail Returns Management | 14.1 | All | All | All |
| Application | Oracle | Retail Service Backbone | 14.1.3.2 | All | All | All |
| Application | Oracle | Retail Service Backbone | 15.0 | All | All | All |
| Application | Oracle | Retail Service Backbone | 15.0.4.0 | All | All | All |
| Application | Oracle | Retail Service Backbone | 16.0 | All | All | All |
| Application | Oracle | Retail Service Backbone | 16.0.3.0 | All | All | All |
| Application | Oracle | Retail Service Backbone | 19.0.1.0 | All | All | All |
| Application | Oracle | Retail Size Profile Optimization | 15.0.3 | All | All | All |
| Application | Oracle | Retail Size Profile Optimization | 16.0.3 | All | All | All |
| Application | Oracle | Retail Store Inventory Management | 14.0.4 | All | All | All |
| Application | Oracle | Retail Store Inventory Management | 14.1 | All | All | All |
| Application | Oracle | Retail Store Inventory Management | 14.1.3 | All | All | All |
| Application | Oracle | Retail Store Inventory Management | 15.0 | All | All | All |
| Application | Oracle | Retail Store Inventory Management | 15.0.3 | All | All | All |
| Application | Oracle | Retail Store Inventory Management | 16.0 | All | All | All |
| Application | Oracle | Retail Store Inventory Management | 16.0.3 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 15.0.4 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 16.0.6 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 17.0.4 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 18.0.3 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 19.0.2 | All | All | All |
| Application | Oracle | Timesten In-memory Database | All | All | All | All |
| Application | Oracle | Timesten In-memory Database | 11.2.2.8.49 | All | All | All |
| Application | Oracle | Utilities Framework | 2.2.0.0.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.2.0.2.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.2.0.3.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.0.0 | All | All | All |
| Application | Oracle | Utilities Framework | 4.4.0.2.0 | All | All | All |
| Application | Oracle | Utilities Framework | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Mitigation, Patch, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mitigation, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| oss-security - [CVE-2020-17521]: Apache Groovy Information Disclosure | MLIST | www.openwall.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| [security-announce] openSUSE-SU-2020:1022-1: moderate: Security update f | SUSE | lists.opensuse.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - July 2020 | MISC | www.oracle.com | |
| [SECURITY] Fedora 32 Update: ant-1.10.8-1.fc32 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Mailing List, Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Mitigation, Patch, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Third Party Advisory |
| [SECURITY] Fedora 31 Update: ant-1.10.8-1.fc31 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Pony Mail! | lists.apache.org | ||
| [SECURITY] Fedora 31 Update: ant-1.10.8-1.fc31 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Mailing List, Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Third Party Advisory |
| Oracle Critical Patch Update Advisory - October 2020 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - July 2021 | N/A | www.oracle.com | |
| Pony Mail! | MISC | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Apache Ant: Multiple vulnerabilities (GLSA 202007-34) — Gentoo security | GENTOO | security.gentoo.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| [SECURITY] Fedora 32 Update: ant-1.10.8-1.fc32 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Oracle Critical Patch Update Advisory - October 2021 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Mitigation, Patch, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| [creadur-dev] 20210621 [jira] [Commented] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979 / raise compiler level to JDK8 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Patch, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| oss-security - [CVE-2020-11979] Apache Ant insecure temporary file vulnerability | MLIST | www.openwall.com | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Patch, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - April 2021 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - January 2021 | MISC | www.oracle.com | |
| USN-4380-1: Apache Ant vulnerability | Ubuntu security notices | Ubuntu | UBUNTU | usn.ubuntu.com | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 296073 Oracle Solaris 11.4 Support Repository Update (SRU) 24.75.2 Missing (CPUJUL2020)
- 501175 Alpine Linux Security Update for apache-ant
- 504581 Alpine Linux Security Update for apache-ant
- 690501 Free Berkeley Software Distribution (FreeBSD) Security Update for apache ant leaks sensitive information via the java.io.tmpdir (6d5f1b0b-b865-48d5-935b-3fb6ebb425fc)
- 752811 SUSE Enterprise Linux Security Update for ant (SUSE-SU-2022:4022-1)
- 770050 Red Hat OpenShift Container Platform Security and Packages Update 4.6.17 (RHSA-2021:0423)
- 770051 Red Hat OpenShift Container Platform 4.5.33 Packages and Security Update (RHSA-2021:0429)
- 770099 Red Hat OpenShift Container Platform 4.5 Security Update (RHSA-2021-0429)
- 770122 Red Hat OpenShift Container Platform 4.6 Security Update (RHSA-2021-0423)
- 980315 Java (maven) Security Update for org.apache.ant:ant (GHSA-4p6w-m9wc-c9c9)