CVE-2020-11979

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
VendorProductVersion
apacheant
1.10.8
gradlegradle
𝑥
< 6.8.0
oracleagile_engineering_data_management
6.2.1.0
oracleapi_gateway
11.1.2.4.0
oraclebanking_platform
2.4.0
oraclebanking_platform
2.4.1
oraclebanking_platform
2.6.2
oraclebanking_platform
2.7.0
oraclebanking_platform
2.7.1
oraclebanking_platform
2.8.0
oraclebanking_treasury_management
14.4
oraclecommunications_unified_inventory_management
7.4.0
oraclecommunications_unified_inventory_management
7.4.1
oracledata_integrator
12.2.1.3.0
oracledata_integrator
12.2.1.4.0
oracleendeca_information_discovery_studio
3.2.0.0
oracleenterprise_repository
11.1.1.7.0
oraclefinancial_services_analytical_applications_infrastructure
8.0.6 ≤
𝑥
≤ 8.0.9
oraclefinancial_services_analytical_applications_infrastructure
8.1.0
oraclefinancial_services_analytical_applications_infrastructure
8.1.1
oracleflexcube_private_banking
12.0.0
oracleflexcube_private_banking
12.1.0
oracleprimavera_gateway
16.2.0 ≤
𝑥
≤ 16.2.11
oracleprimavera_gateway
17.12.0 ≤
𝑥
≤ 17.12.9
oracleprimavera_unifier
17.7 ≤
𝑥
≤ 17.12
oracleprimavera_unifier
16.1
oracleprimavera_unifier
16.2
oracleprimavera_unifier
18.8
oracleprimavera_unifier
19.12
oracleprimavera_unifier
20.12
oraclereal-time_decision_server
3.2.0.0
oraclereal-time_decision_server
11.1.1.9.0
oracleretail_advanced_inventory_planning
14.1
oracleretail_assortment_planning
16.0.3
oracleretail_category_management_planning_\&_optimization
16.0.3
oracleretail_eftlink
19.0.1
oracleretail_eftlink
20.0.0
oracleretail_financial_integration
14.1.3
oracleretail_financial_integration
15.0.3
oracleretail_financial_integration
16.0.3
oracleretail_integration_bus
15.0.3
oracleretail_item_planning
16.0.3
oracleretail_macro_space_optimization
16.0.3
oracleretail_merchandise_financial_planning
16.0.3
oracleretail_merchandising_system
14.1.3.2
oracleretail_merchandising_system
16.0.3
oracleretail_predictive_application_server
14.1
oracleretail_regular_price_optimization
16.0.3
oracleretail_replenishment_optimization
16.0.3
oracleretail_service_backbone
14.1.3
oracleretail_service_backbone
15.0.3
oracleretail_service_backbone
16.0.3
oracleretail_size_profile_optimization
16.0.3
oracleretail_store_inventory_management
14.1.3.9
oracleretail_store_inventory_management
15.0.3.0
oracleretail_store_inventory_management
16.0.3.0
oracleretail_xstore_point_of_service
15.0.4
oracleretail_xstore_point_of_service
16.0.6
oracleretail_xstore_point_of_service
17.0.4
oracleretail_xstore_point_of_service
18.0.3
oracleretail_xstore_point_of_service
19.0.2
oraclestoragetek_acsls
8.5.1
oraclestoragetek_tape_analytics
2.4
oracletimesten_in-memory_database
𝑥
< 11.2.2.8.27
oracleutilities_framework
4.3.0.5.0
oracleutilities_framework
4.3.0.6.0
oracleutilities_framework
4.4.0.0.0
oracleutilities_framework
4.4.0.2.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ant
bullseye
1.10.9-4
fixed
buster
not-affected
stretch
not-affected
bookworm
1.10.13-1
fixed
sid
1.10.15-1
fixed
trixie
1.10.15-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ant
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
Common Weakness Enumeration
References
https://github.com/gradle/gradle/security/advisories/GHSA-j45w-qrgf-25vm
https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc%40%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e%40%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0%40%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490%40%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305%40%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/raaeddc41da8f3afb1cb224876084a45f68e437a0afd9889a707e4b0c%40%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a%40%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB/
https://security.gentoo.org/glsa/202011-18
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://github.com/gradle/gradle/security/advisories/GHSA-j45w-qrgf-25vm
https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc%40%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e%40%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0%40%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490%40%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305%40%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/raaeddc41da8f3afb1cb224876084a45f68e437a0afd9889a707e4b0c%40%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a%40%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB/
https://security.gentoo.org/glsa/202011-18
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html