PT-2020-3256 · Apache+3 · Apache Ant+3

Published

2020-05-14

Updated

2024-06-15

CVE-2020-1945

CVSS v3.1

6.3

Medium

Vector

AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Apache Ant versions 1.1 through 1.9.14 Apache Ant versions 1.10.0 through 1.10.7

Description The issue is related to the use of the default temporary directory identified by the Java system property java.io.tmpdir for several tasks, which may lead to sensitive information leakage. Specifically, the fixcrlf and replaceregexp tasks copy files from the temporary directory back into the build tree, allowing an attacker to inject modified source files into the build process. This could enable an attacker to modify data or gain unauthorized access to protected information.

Recommendations For Apache Ant versions 1.1 through 1.9.14, update to a version outside of this range to mitigate the risk. For Apache Ant versions 1.10.0 through 1.10.7, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the temporary directory identified by java.io.tmpdir to minimize the risk of exploitation.

Fix

Information Disclosure

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-377CWE-668

Related Identifiers

BDU:2020-03564

CVE-2020-1945

GHSA-4P6W-M9WC-C9C9

MGASA-2020-0237

OPENSUSE-SU-2020:1022-1

OPENSUSE-SU-2020_1022-1

OPENSUSE-SU-2024:10616-1

OPENSUSE-SU-2024:11676-1

RHSA-2021:0423

RHSA-2021:0429

RHSA-2021:0637

SUSE-SU-2020:1944-1

SUSE-SU-2020_1944-1

SUSE-SU-2022:4022-1

USN-4380-1

USN-4874-1

Affected Products

Apache Ant

Linuxmint

Suse

Ubuntu

PT-2020-3256 · Apache+3 · Apache Ant+3

CVE-2020-1945

Weakness Enumeration

Related Identifiers

Affected Products

References · 130