CVE-2020-1945

MEDIUM

Apache Ant < 1.9.14 - Exposure to Wrong Actor

Title source: rule

Description

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.

References (52)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00053.html

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2020/09/30/6

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2020/12/06/1

[Mailing List] https://lists.apache.org/thread.html/r1863b9ce4c3e4b1e5b0c671ad05545ba3eb8399616aa746af5dfe1b1%40%3Cdev.creadur.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r1a9c992d7c8219dc15b4ad448649f0ffdaa88d76ef6a0035c49455f5%40%3Cdev.creadur.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r1b32c76afffcf676e13ed635a3332f3e46e6aaa7722eb3fc7a28f58e%40%3Cdev.hive.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e%40%3Cdev.creadur.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0%40%3Cdev.creadur.apache.org%3E

[Mailing List, Vendor Advisory] https://lists.apache.org/thread.html/r8e592bbfc016a5dbe2a8c0e81ff99682b9c78c453621b82c14e7b75e%40%3Cdev.ant.apache.org%3E

[Third Party Advisory] https://security.gentoo.org/glsa/202007-34

[Mailing List, Vendor Advisory] https://usn.ubuntu.com/4380-1/

[Patch, Third Party Advisory] https://www.oracle.com//security-alerts/cpujul2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuApr2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2020.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2020.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2021.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EQBR65TINSJRN7PTPIVNYS33P535WM74/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRVAWTCVXJMRYKQKEXYSNBF7NLSR6OEI/

... and 32 more

Scores

CVSS v3 6.3

EPSS 0.0002

EPSS Percentile 5.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Classification

CWE

CWE-668

Status published

Affected Products (50)

apache/ant < 1.9.14

canonical/ubuntu_linux

fedoraproject/fedora

fedoraproject/fedora

opensuse/leap

oracle/agile_engineering_data_management

oracle/banking_enterprise_collections < 2.9.0

oracle/banking_liquidity_management < 14.4.0

oracle/banking_platform < 2.9.0

oracle/business_process_management_suite

oracle/business_process_management_suite

oracle/category_management_planning_\&_optimization

oracle/communications_asap

oracle/communications_diameter_signaling_router < 8.2.2

oracle/communications_metasolv_solution

... and 35 more

Timeline

Published May 14, 2020

Tracked Since Feb 18, 2026