CVE-2020-11979

HIGH
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

References

https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.creadur.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.creadur.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.creadur.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.creadur.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.creadur.apache.org%3E

https://lists.fedoraproject.org/archives/list/[email protected]/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB/

https://lists.fedoraproject.org/archives/list/[email protected]/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS/

https://lists.fedoraproject.org/archives/list/[email protected]/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI/

https://security.gentoo.org/glsa/202011-18

https://www.oracle.com/security-alerts/cpujan2021.html

https://github.com/gradle/gradle/security/advisories/GHSA-j45w-qrgf-25vm

https://lists.apache.org/thread.html/[email protected]%3Cdev.creadur.apache.org%3E

https://www.oracle.com/security-alerts/cpuApr2021.html

Details

Source: MITRE

Published: 2020-10-01

Updated: 2021-06-14

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:ant:1.10.8:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:gradle:gradle:*:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:banking_platform:2.8.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.1.0 (inclusive)

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 16.2.0 to 16.2.11 (inclusive)

cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 17.12.0 to 17.12.9 (inclusive)

cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from 17.7 to 17.12 (inclusive)

cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_financial_integration:14.1.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_financial_integration:15.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:14.1.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:15.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3.9:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_store_inventory_management:15.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_store_inventory_management:16.0.3.0:*:*:*:*:*:*:*

Tenable Plugins

View all (13 total)

IDNameProductFamilySeverity
147015RHEL 7 / 8 : OpenShift Container Platform 4.5.33 packages and (RHSA-2021:0429)NessusRed Hat Local Security Checks
high
147013RHEL 7 : OpenShift Container Platform 3.11.394 bug fix and (RHSA-2021:0637)NessusRed Hat Local Security Checks
high
146566RHEL 7 / 8 : OpenShift Container Platform 4.6.17 (RHSA-2021:0423)NessusRed Hat Local Security Checks
high
145709EulerOS 2.0 SP8 : ant (EulerOS-SA-2021-1133)NessusHuawei Local Security Checks
high
145569Oracle Primavera Unifier (Jan 2021 CPU)NessusCGI abuses
critical
145223Oracle Primavera Gateway (Jan 2021 CPU)NessusCGI abuses
high
142932GLSA-202011-18 : Apache Ant: Insecure temporary fileNessusGentoo Local Security Checks
high
141900Fedora 33 : ant (2020-2640aa4e19)NessusFedora Local Security Checks
high
141895Fedora 32 : ant (2020-92b1d001b3)NessusFedora Local Security Checks
high
141887Fedora 31 : ant (2020-3ce0f55bc5)NessusFedora Local Security Checks
high
141866Photon OS 3.0: Apache PHSA-2020-3.0-0155NessusPhotonOS Local Security Checks
high
141860Photon OS 1.0: Apache PHSA-2020-1.0-0335NessusPhotonOS Local Security Checks
high
141642Photon OS 2.0: Apache PHSA-2020-2.0-0291NessusPhotonOS Local Security Checks
high