Vulnerability Details : CVE-2020-11979
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
Products affected by CVE-2020-11979
- cpe:2.3:a:apache:ant:1.10.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_service_backbone:14.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_service_backbone:15.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_store_inventory_management:15.0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_store_inventory_management:16.0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_platform:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_merchandising_system:14.1.3.2:*:*:*:*:*:*:*
- Oracle » Financial Services Analytical Applications InfrastructureVersions from including (>=) 8.0.6 and up to, including, (<=) 8.0.9cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_predictive_application_server:14.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_assortment_planning:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_financial_integration:14.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_financial_integration:15.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:real-time_decision_server:3.2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:real-time_decision_server:11.1.1.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_advanced_inventory_planning:14.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:banking_treasury_management:14.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_eftlink:19.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_eftlink:20.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_item_planning:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_macro_space_optimization:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_merchandise_financial_planning:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_regular_price_optimization:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_replenishment_optimization:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_size_profile_optimization:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_category_management_planning_\&_optimization:16.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:storagetek_acsls:8.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:storagetek_tape_analytics:2.4:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:a:gradle:gradle:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11979
0.59%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11979
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-11979
-
The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.Assigned by: security@apache.org (Secondary)
References for CVE-2020-11979
-
https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc@%3Cdev.creadur.apache.org%3E
[jira] [Updated] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979 - Pony MailMailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e@%3Cdev.creadur.apache.org%3E
[jira] [Commented] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979 - Pony MailMailing List;Patch;Vendor Advisory
-
https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0@%3Cdev.creadur.apache.org%3E
[jira] [Updated] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979 / raise compiler level to JDK8 - Pony MailMailing List;Vendor Advisory
-
https://www.oracle.com//security-alerts/cpujul2021.html
Oracle Critical Patch Update Advisory - July 2021Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2022.html
Oracle Critical Patch Update Advisory - January 2022Patch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB/
[SECURITY] Fedora 33 Update: ant-1.10.9-1.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
[CVE-2020-11979] Apache Ant insecure temporary file vulnerability - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/raaeddc41da8f3afb1cb224876084a45f68e437a0afd9889a707e4b0c@%3Cdev.creadur.apache.org%3E
[jira] [Commented] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979 / raise compiler level to JDK8 - Pony MailMailing List;Patch;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuApr2021.html
Oracle Critical Patch Update Advisory - April 2021Patch;Third Party Advisory
-
https://github.com/gradle/gradle/security/advisories/GHSA-j45w-qrgf-25vm
CVE-2020-11979: Apache Ant insecure temporary file vulnerability · Advisory · gradle/gradle · GitHubThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS/
[SECURITY] Fedora 31 Update: ant-1.10.9-1.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI/
[SECURITY] Fedora 32 Update: ant-1.10.9-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490@%3Cdev.creadur.apache.org%3E
[jira] [Assigned] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979 - Pony MailMailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Patch;Third Party Advisory
-
https://security.gentoo.org/glsa/202011-18
Apache Ant: Insecure temporary file (GLSA 202011-18) — Gentoo securityThird Party Advisory
-
https://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a@%3Cdev.creadur.apache.org%3E
[jira] [Commented] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979 / raise compiler level to JDK8 - Pony MailMailing List;Patch;Vendor Advisory
-
https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305@%3Cdev.creadur.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
Jump to