Vulnerability in Apache Ant
CVE-2020-11979
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new o…
EPSS: 0.081 (94.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.
Affected products
- Apache Ant — versions 1.10.8
- Gradle
- Oracle Agile_engineering_data_management — versions 6.2.1.0
- Oracle Api_gateway — versions 11.1.2.4.0
- Oracle Banking_platform — versions 2.4.0, 2.4.1, 2.6.2
- Oracle Banking_treasury_management — versions 14.4
- Oracle Communications_unified_inventory_management — versions 7.4.0, 7.4.1
- Oracle Data_integrator — versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Endeca_information_discovery_studio — versions 3.2.0.0
- Oracle Enterprise_repository — versions 11.1.1.7.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security@apache.org (Mailing List, x_refsource_MISC, Vendor Advisory)
- security@apache.org (mailing-list, x_refsource_MLIST)
- security@apache.org (mailing-list, x_refsource_MLIST)
- security@apache.org (mailing-list, x_refsource_MLIST)
- security@apache.org (mailing-list, x_refsource_MLIST)
- security@apache.org (mailing-list, x_refsource_MLIST)
- security@apache.org (x_refsource_FEDORA, vendor-advisory)
- security@apache.org (x_refsource_FEDORA, vendor-advisory)
- security@apache.org (x_refsource_FEDORA, vendor-advisory)
- security@apache.org (vendor-advisory, Third Party Advisory, x_refsource_GENTOO)
Frequently asked questions
- What is CVE-2020-11979?
- CVE-2020-11979 is a high-severity vulnerability in Apache Ant, classified under Creation of Temporary File in Directory with Insecure Permissions. CVSS score: 7.5/10. Published 2020-10-01.
- How severe is CVE-2020-11979?
- High severity. CVSS v3 base score is 7.5 out of 10.
- Is CVE-2020-11979 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.