PT-2020-5479 · Apache+1 · Apache Ant+1

Published

2020-09-30

·

Updated

2024-06-15

·

CVE-2020-11979

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:C/A:N
Name of the Vulnerable Software and Affected Versions Apache Ant versions prior to 1.10.8
Description The issue is related to the implementation of the fixcrlf class in Apache Ant, which is used for automating the build process of software products. It involves insufficient cleaning of special elements in output data used by an incoming component. This could allow a remote attacker to gain unauthorized access to protected information. The exploitation of this issue may enable an attacker to inject modified source files into the build process.
Recommendations For Apache Ant versions prior to 1.10.8, update to version 1.10.8 or later to resolve the issue. As a temporary workaround, consider restricting access to temporary files created by the fixcrlf task to minimize the risk of exploitation.

Fix

Code Injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-379CWE-94CWE-74

Related Identifiers

BDU:2021-00774
BIT-GRADLE-2020-11979
CVE-2020-11979
GHSA-F62V-XPXF-3V68
GHSA-J45W-QRGF-25VM
MGASA-2021-0173
OPENSUSE-SU-2024:10616-1
RHSA-2021:0423
RHSA-2021:0429
RHSA-2021:0637
SUSE-SU-2022:4022-1
SUSE-SU-2022_4022-1

Affected Products

Apache Ant
Suse