CVE-2020-11979

ant: insecure temporary file

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

Como mitigación para CVE-2020-1945, Apache Ant versión 1.10.8, cambió los permisos de los archivos temporales que creó para que solo el usuario actual pudiera acceder a ellos. Desafortunadamente, la tarea fixcrlf eliminó el archivo temporal y creó uno nuevo sin dicha protección, anulando efectivamente el esfuerzo. Esto podría seguir permitiendo a un atacante inyectar archivos fuente modificados en el proceso de compilación

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-04-21 CVE Reserved
2020-10-01 CVE Published
2024-08-04 CVE Updated
2024-09-07 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-377: Insecure Temporary File
CWE-379: Creation of Temporary File in Directory with Insecure Permissions

CAPEC

References (21)

URL	Tag	Source
https://github.com/gradle/gradle/security/advisories/GHSA-j45w-qrgf-25vm	Third Party Advisory
https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc%40%3Cdev.creadur.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e%40%3Cdev.creadur.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0%40%3Cdev.creadur.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490%40%3Cdev.creadur.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305%40%3Cdev.creadur.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/raaeddc41da8f3afb1cb224876084a45f68e437a0afd9889a707e4b0c%40%3Cdev.creadur.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a%40%3Cdev.creadur.apache.org%3E	Mailing List

URL	Date	SRC

URL	Date	SRC
https://www.oracle.com//security-alerts/cpujul2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpuApr2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpuapr2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpujan2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpujan2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpuoct2021.html	2023-11-07

URL	Date	SRC
https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB	2023-11-07
https://security.gentoo.org/glsa/202011-18	2023-11-07
https://access.redhat.com/security/cve/CVE-2020-11979	2021-03-03
https://bugzilla.redhat.com/show_bug.cgi?id=1903702	2021-03-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Ant Search vendor "Apache" for product "Ant"				1.10.8 Search vendor "Apache" for product "Ant" and version "1.10.8"		-		Affected
Gradle Search vendor "Gradle"		Gradle Search vendor "Gradle" for product "Gradle"				< 6.8.0 Search vendor "Gradle" for product "Gradle" and version " < 6.8.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Oracle Search vendor "Oracle"		Agile Engineering Data Management Search vendor "Oracle" for product "Agile Engineering Data Management"				6.2.1.0 Search vendor "Oracle" for product "Agile Engineering Data Management" and version "6.2.1.0"		-		Affected
Oracle Search vendor "Oracle"		Api Gateway Search vendor "Oracle" for product "Api Gateway"				11.1.2.4.0 Search vendor "Oracle" for product "Api Gateway" and version "11.1.2.4.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.4.0 Search vendor "Oracle" for product "Banking Platform" and version "2.4.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.4.1 Search vendor "Oracle" for product "Banking Platform" and version "2.4.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.6.2 Search vendor "Oracle" for product "Banking Platform" and version "2.6.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.7.0 Search vendor "Oracle" for product "Banking Platform" and version "2.7.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.7.1 Search vendor "Oracle" for product "Banking Platform" and version "2.7.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Platform Search vendor "Oracle" for product "Banking Platform"				2.8.0 Search vendor "Oracle" for product "Banking Platform" and version "2.8.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Treasury Management Search vendor "Oracle" for product "Banking Treasury Management"				14.4 Search vendor "Oracle" for product "Banking Treasury Management" and version "14.4"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.4.0 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Unified Inventory Management Search vendor "Oracle" for product "Communications Unified Inventory Management"				7.4.1 Search vendor "Oracle" for product "Communications Unified Inventory Management" and version "7.4.1"		-		Affected
Oracle Search vendor "Oracle"		Data Integrator Search vendor "Oracle" for product "Data Integrator"				12.2.1.3.0 Search vendor "Oracle" for product "Data Integrator" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Data Integrator Search vendor "Oracle" for product "Data Integrator"				12.2.1.4.0 Search vendor "Oracle" for product "Data Integrator" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Endeca Information Discovery Studio Search vendor "Oracle" for product "Endeca Information Discovery Studio"				3.2.0.0 Search vendor "Oracle" for product "Endeca Information Discovery Studio" and version "3.2.0.0"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Repository Search vendor "Oracle" for product "Enterprise Repository"				11.1.1.7.0 Search vendor "Oracle" for product "Enterprise Repository" and version "11.1.1.7.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				>= 8.0.6 <= 8.0.9 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version " >= 8.0.6 <= 8.0.9"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.1.0 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.1.0"		-		Affected
Oracle Search vendor "Oracle"		Financial Services Analytical Applications Infrastructure Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure"				8.1.1 Search vendor "Oracle" for product "Financial Services Analytical Applications Infrastructure" and version "8.1.1"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking"				12.0.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.0.0"		-		Affected
Oracle Search vendor "Oracle"		Flexcube Private Banking Search vendor "Oracle" for product "Flexcube Private Banking"				12.1.0 Search vendor "Oracle" for product "Flexcube Private Banking" and version "12.1.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 16.2.0 <= 16.2.11 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 16.2.0 <= 16.2.11"		-		Affected
Oracle Search vendor "Oracle"		Primavera Gateway Search vendor "Oracle" for product "Primavera Gateway"				>= 17.12.0 <= 17.12.9 Search vendor "Oracle" for product "Primavera Gateway" and version " >= 17.12.0 <= 17.12.9"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				>= 17.7 <= 17.12 Search vendor "Oracle" for product "Primavera Unifier" and version " >= 17.7 <= 17.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				16.1 Search vendor "Oracle" for product "Primavera Unifier" and version "16.1"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				16.2 Search vendor "Oracle" for product "Primavera Unifier" and version "16.2"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				18.8 Search vendor "Oracle" for product "Primavera Unifier" and version "18.8"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				19.12 Search vendor "Oracle" for product "Primavera Unifier" and version "19.12"		-		Affected
Oracle Search vendor "Oracle"		Primavera Unifier Search vendor "Oracle" for product "Primavera Unifier"				20.12 Search vendor "Oracle" for product "Primavera Unifier" and version "20.12"		-		Affected
Oracle Search vendor "Oracle"		Real-time Decision Server Search vendor "Oracle" for product "Real-time Decision Server"				3.2.0.0 Search vendor "Oracle" for product "Real-time Decision Server" and version "3.2.0.0"		-		Affected
Oracle Search vendor "Oracle"		Real-time Decision Server Search vendor "Oracle" for product "Real-time Decision Server"				11.1.1.9.0 Search vendor "Oracle" for product "Real-time Decision Server" and version "11.1.1.9.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Advanced Inventory Planning Search vendor "Oracle" for product "Retail Advanced Inventory Planning"				14.1 Search vendor "Oracle" for product "Retail Advanced Inventory Planning" and version "14.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Assortment Planning Search vendor "Oracle" for product "Retail Assortment Planning"				16.0.3 Search vendor "Oracle" for product "Retail Assortment Planning" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Category Management Planning \& Optimization Search vendor "Oracle" for product "Retail Category Management Planning \& Optimization"				16.0.3 Search vendor "Oracle" for product "Retail Category Management Planning \& Optimization" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Eftlink Search vendor "Oracle" for product "Retail Eftlink"				19.0.1 Search vendor "Oracle" for product "Retail Eftlink" and version "19.0.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Eftlink Search vendor "Oracle" for product "Retail Eftlink"				20.0.0 Search vendor "Oracle" for product "Retail Eftlink" and version "20.0.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Financial Integration Search vendor "Oracle" for product "Retail Financial Integration"				14.1.3 Search vendor "Oracle" for product "Retail Financial Integration" and version "14.1.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Financial Integration Search vendor "Oracle" for product "Retail Financial Integration"				15.0.3 Search vendor "Oracle" for product "Retail Financial Integration" and version "15.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Financial Integration Search vendor "Oracle" for product "Retail Financial Integration"				16.0.3 Search vendor "Oracle" for product "Retail Financial Integration" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Integration Bus Search vendor "Oracle" for product "Retail Integration Bus"				15.0.3 Search vendor "Oracle" for product "Retail Integration Bus" and version "15.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Item Planning Search vendor "Oracle" for product "Retail Item Planning"				16.0.3 Search vendor "Oracle" for product "Retail Item Planning" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Macro Space Optimization Search vendor "Oracle" for product "Retail Macro Space Optimization"				16.0.3 Search vendor "Oracle" for product "Retail Macro Space Optimization" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Merchandise Financial Planning Search vendor "Oracle" for product "Retail Merchandise Financial Planning"				16.0.3 Search vendor "Oracle" for product "Retail Merchandise Financial Planning" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System"				14.1.3.2 Search vendor "Oracle" for product "Retail Merchandising System" and version "14.1.3.2"		-		Affected
Oracle Search vendor "Oracle"		Retail Merchandising System Search vendor "Oracle" for product "Retail Merchandising System"				16.0.3 Search vendor "Oracle" for product "Retail Merchandising System" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Predictive Application Server Search vendor "Oracle" for product "Retail Predictive Application Server"				14.1 Search vendor "Oracle" for product "Retail Predictive Application Server" and version "14.1"		-		Affected
Oracle Search vendor "Oracle"		Retail Regular Price Optimization Search vendor "Oracle" for product "Retail Regular Price Optimization"				16.0.3 Search vendor "Oracle" for product "Retail Regular Price Optimization" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Replenishment Optimization Search vendor "Oracle" for product "Retail Replenishment Optimization"				16.0.3 Search vendor "Oracle" for product "Retail Replenishment Optimization" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				14.1.3 Search vendor "Oracle" for product "Retail Service Backbone" and version "14.1.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				15.0.3 Search vendor "Oracle" for product "Retail Service Backbone" and version "15.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Service Backbone Search vendor "Oracle" for product "Retail Service Backbone"				16.0.3 Search vendor "Oracle" for product "Retail Service Backbone" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Size Profile Optimization Search vendor "Oracle" for product "Retail Size Profile Optimization"				16.0.3 Search vendor "Oracle" for product "Retail Size Profile Optimization" and version "16.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Store Inventory Management Search vendor "Oracle" for product "Retail Store Inventory Management"				14.1.3.9 Search vendor "Oracle" for product "Retail Store Inventory Management" and version "14.1.3.9"		-		Affected
Oracle Search vendor "Oracle"		Retail Store Inventory Management Search vendor "Oracle" for product "Retail Store Inventory Management"				15.0.3.0 Search vendor "Oracle" for product "Retail Store Inventory Management" and version "15.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Store Inventory Management Search vendor "Oracle" for product "Retail Store Inventory Management"				16.0.3.0 Search vendor "Oracle" for product "Retail Store Inventory Management" and version "16.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				15.0.4 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "15.0.4"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				16.0.6 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "16.0.6"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				17.0.4 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "17.0.4"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				18.0.3 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "18.0.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				19.0.2 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "19.0.2"		-		Affected
Oracle Search vendor "Oracle"		Storagetek Acsls Search vendor "Oracle" for product "Storagetek Acsls"				8.5.1 Search vendor "Oracle" for product "Storagetek Acsls" and version "8.5.1"		-		Affected
Oracle Search vendor "Oracle"		Storagetek Tape Analytics Search vendor "Oracle" for product "Storagetek Tape Analytics"				2.4 Search vendor "Oracle" for product "Storagetek Tape Analytics" and version "2.4"		-		Affected
Oracle Search vendor "Oracle"		Timesten In-memory Database Search vendor "Oracle" for product "Timesten In-memory Database"				< 11.2.2.8.27 Search vendor "Oracle" for product "Timesten In-memory Database" and version " < 11.2.2.8.27"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.3.0.5.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.3.0.5.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.3.0.6.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.3.0.6.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.4.0.0.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.0.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.4.0.2.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.2.0"		-		Affected