CVE-2020-11979
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
01/10/2020
Last modified:
07/11/2023
Description
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:ant:1.10.8:*:*:*:*:*:*:* | ||
| cpe:2.3:a:gradle:gradle:*:*:*:*:*:*:*:* | 6.8.0 (excluding) | |
| cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_platform:2.8.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:banking_treasury_management:14.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/gradle/gradle/security/advisories/GHSA-j45w-qrgf-25vm
- https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/raaeddc41da8f3afb1cb224876084a45f68e437a0afd9889a707e4b0c%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB/
- https://security.gentoo.org/glsa/202011-18
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html