Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.3
CVSSv3

CVE-2020-1945

Published: 14/05/2020 Updated: 07/11/2023
CVSS v2 Base Score: 3.3 | Impact Score: 4.9 | Exploitability Score: 3.4
CVSS v3 Base Score: 6.3 | Impact Score: 5.2 | Exploitability Score: 1
VMScore: 294
Vector: AV:L/AC:M/Au:N/C:P/I:P/A:N
Subscribe to Ant

Vulnerability Summary

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an malicious user to inject modified source files into the build process.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache ant

canonical ubuntu linux 19.10

fedoraproject fedora 31

fedoraproject fedora 32

opensuse leap 15.2

oracle flexcube investor servicing 12.3.0

oracle flexcube investor servicing 12.1.0

oracle flexcube private banking 12.1.0

oracle primavera unifier 16.2

oracle retail integration bus 14.1

oracle flexcube private banking 12.0.0

oracle retail store inventory management 14.1

oracle primavera unifier 16.1

oracle enterprise repository 11.1.1.7.0

oracle retail service backbone 15.0

oracle retail integration bus 15.0

oracle retail back office 14.1

oracle retail back office 14.0

oracle utilities framework 4.2.0.3.0

oracle utilities framework 4.2.0.2.0

oracle utilities framework 2.2.0.0.0

oracle flexcube investor servicing 12.4.0

oracle business process management suite 12.2.1.3.0

oracle retail bulk data integration 16.0

oracle flexcube investor servicing 14.0.0

oracle retail integration bus 16.0

oracle retail returns management 14.0

oracle retail returns management 14.1

oracle retail central office 14.0

oracle retail central office 14.1

oracle primavera unifier 18.8

oracle retail point-of-service 14.1

oracle retail point-of-service 14.0

oracle retail predictive application server 15.0.3

oracle data integrator 12.2.1.3.0

oracle primavera unifier

oracle endeca information discovery studio 3.2.0

oracle utilities framework 4.4.0.0.0

oracle retail financial integration 15.0

oracle retail financial integration 16.0

oracle communications metasolv solution 6.3.0

oracle flexcube investor servicing 14.1.0

oracle retail store inventory management 16.0

oracle primavera unifier 19.12

oracle financial services analytical applications infrastructure

oracle rapid planning 12.1

oracle rapid planning 12.2

oracle utilities framework

oracle utilities framework 4.4.0.2.0

oracle communications diameter signaling router

oracle enterprise manager ops center 12.4.0.0

oracle retail advanced inventory planning 14.1

oracle retail bulk data integration 16.0.3.0

oracle retail predictive application server 16.0.3.0

oracle agile engineering data management 6.2.1.0

oracle data integrator 12.2.1.4.0

oracle primavera gateway

oracle retail service backbone 16.0

oracle banking platform

oracle communications order and service management 7.4

oracle real-time decision server 3.2.1.0

oracle banking liquidity management

oracle business process management suite 12.2.1.4.0

oracle retail predictive application server 14.0.3

oracle retail xstore point of service 16.0.6

oracle retail xstore point of service 17.0.4

oracle retail xstore point of service 18.0.3

oracle retail xstore point of service 19.0.2

oracle retail service backbone 14.1.3.2

oracle retail xstore point of service 15.0.4

oracle retail store inventory management 14.0.4

oracle retail store inventory management 14.1.3

oracle retail store inventory management 15.0.3

oracle retail store inventory management 16.0.3

oracle retail service backbone 15.0.4.0

oracle retail service backbone 16.0.3.0

oracle retail service backbone 19.0.1.0

oracle retail merchandising system 19.0.1

oracle retail integration bus 14.1.3.2

oracle retail integration bus 15.0.4.0

oracle retail integration bus 16.0.3.0

oracle retail store inventory management 15.0

oracle retail integration bus 19.0.1.0

oracle retail predictive application server 14.1.3

oracle retail financial integration 14.1.3.2

oracle retail financial integration 15.0.4.0

oracle retail financial integration 16.0.3.0

oracle retail extract transform and load 13.2.8

oracle retail bulk data integration 19.0.1

oracle retail advanced inventory planning 15.0

oracle retail advanced inventory planning 16.0

oracle retail predictive application server 16.0.3

oracle retail size profile optimization 15.0.3

oracle retail replenishment optimization 15.0.3

oracle retail regular price optimization 16.0.3

oracle retail regular price optimization 15.0.3

oracle retail merchandise financial planning 15.0.3

oracle retail macro space optimization 15.0.3

oracle retail item planning 15.0.3

oracle retail data extractor for merchandising 1.10

oracle retail data extractor for merchandising 1.9

oracle retail bulk data integration 15.0

oracle retail assortment planning 16.0.3

oracle retail assortment planning 15.0.3

oracle category management planning \\& optimization 15.0.3

oracle banking enterprise collections

oracle communications order and service management 7.3

oracle retail point-of-service 15.0

oracle retail point-of-service 16.0

oracle retail extract transform and load 13.2.5

oracle communications asap 7.3

oracle retail size profile optimization 16.0.3

oracle health sciences information manager

oracle timesten in-memory database

oracle timesten in-memory database 11.2.2.8.49

Vendor Advisories

Ubuntu Security Notice: Apache Ant vulnerability
Apache Ant could leak sensitive information or be made to run programs as your login ...
Debian CVElist Bug Report Logs: ant: CVE-2020-1945
Debian Bug report logs - #960630 ant: CVE-2020-1945 Package: src:ant; Maintainer for src:ant is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 14 May 2020 20:39:01 UTC Severity: important Tags: security, upstream Found in versi ...
Debian CVElist Bug Report Logs: ant: CVE-2020-11979
Debian Bug report logs - #971612 ant: CVE-2020-11979 Package: src:ant; Maintainer for src:ant is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 3 Oct 2020 05:18:01 UTC Severity: important Tags: security, upstream Found in vers ...
Red Hat: Important: OpenShift Container Platform 4.6.17 security and packages update
Synopsis Important: OpenShift Container Platform 4617 security and packages update Type/Severity Security Advisory: Important Topic Red Hat OpenShift Container Platform release 4617 is now available withupdates to packages and images that fix several bugsThis release includes a security update for Red ...
Red Hat: Moderate: Red Hat Process Automation Manager 7.9.0 security update
Synopsis Moderate: Red Hat Process Automation Manager 790 security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat Process Automation ManagerRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring ...
Red Hat: Moderate: Red Hat Decision Manager 7.9.0 security update
Synopsis Moderate: Red Hat Decision Manager 790 security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat Decision ManagerRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base ...
Arch Linux Issues:
Apache Ant uses the default temporary directory identified by the Java system property javaiotmpdir for several tasks and may thus leak sensitive information The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process ...

Mailing Lists

Full Disclosure: [CVE-2020-1945] Apache Ant insecure temporary file vulnerability
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> [CVE-2020-1945] Apache Ant insecure temporary file vulnerability <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: ...

References

CWE-668https://lists.apache.org/thread.html/r8e592bbfc016a5dbe2a8c0e81ff99682b9c78c453621b82c14e7b75e%40%3Cdev.ant.apache.org%3Ehttps://usn.ubuntu.com/4380-1/https://www.oracle.com/security-alerts/cpujul2020.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00053.htmlhttps://security.gentoo.org/glsa/202007-34http://www.openwall.com/lists/oss-security/2020/09/30/6https://www.oracle.com/security-alerts/cpuoct2020.htmlhttp://www.openwall.com/lists/oss-security/2020/12/06/1https://www.oracle.com/security-alerts/cpujan2021.htmlhttps://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://lists.apache.org/thread.html/rda80ac59119558eaec452e58ddfac2ccc9211da1c65f7927682c78b1%40%3Cdev.creadur.apache.org%3Ehttps://lists.apache.org/thread.html/rfd346609527a79662c48b1da3ac500ec30f29f7ddaa3575051e81890%40%3Ccommits.creadur.apache.org%3Ehttps://lists.apache.org/thread.html/re1ce84518d773a94a613d988771daf9252c9cf7375a9a477009f9735%40%3Ccommits.creadur.apache.org%3Ehttps://lists.apache.org/thread.html/r95dc943e47a211d29df605e14f86c280fc9fa8d828b2b53bd07673c9%40%3Cdev.creadur.apache.org%3Ehttps://lists.apache.org/thread.html/rd7dda48ff835f4d0293949837d55541bfde3683bd35bd8431e324538%40%3Cdev.creadur.apache.org%3Ehttps://lists.apache.org/thread.html/r1863b9ce4c3e4b1e5b0c671ad05545ba3eb8399616aa746af5dfe1b1%40%3Cdev.creadur.apache.org%3Ehttps://lists.apache.org/thread.html/rdaa9c51d5dc6560c9d2b3f3d742c768ad0705e154041e574a0fae45c%40%3Cnotifications.groovy.apache.org%3Ehttps://lists.apache.org/thread.html/r1b32c76afffcf676e13ed635a3332f3e46e6aaa7722eb3fc7a28f58e%40%3Cdev.hive.apache.org%3Ehttps://lists.apache.org/thread.html/r0d08a96ba9de8aa435f32944e8b2867c368a518d4ff57782e3637335%40%3Cissues.hive.apache.org%3Ehttps://lists.apache.org/thread.html/r4b2904d64affd4266cd72ccb2fc3927c1c2f22009f183095aa46bf90%40%3Cissues.hive.apache.org%3Ehttps://lists.apache.org/thread.html/r6edd3e2cb79ee635630d891b54a4f1a9cd8c7f639d6ee34e75fbe830%40%3Cissues.hive.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRVAWTCVXJMRYKQKEXYSNBF7NLSR6OEI/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EQBR65TINSJRN7PTPIVNYS33P535WM74/https://lists.apache.org/thread.html/r8e24abb7dd77cda14c6df90a377c94f0a413bbfcec90a29540ff8adf%40%3Cissues.hive.apache.org%3Ehttps://lists.apache.org/thread.html/r2704fb14ce068c64759a986f81d5b5e42ab434fa13d0f444ad52816b%40%3Cdev.creadur.apache.org%3Ehttps://lists.apache.org/thread.html/r6e295d792032ec02b32be3846c21a58857fba4a077d22c5842d69ba2%40%3Ctorque-dev.db.apache.org%3Ehttps://lists.apache.org/thread.html/r815f88d1044760176f30a4913b4baacd06f3eae4eb662de7388e46d8%40%3Cissues.hive.apache.org%3Ehttps://lists.apache.org/thread.html/r5dfc77048b1f9db26622dce91a6edf083d499397256594952fad5f35%40%3Ccommits.myfaces.apache.org%3Ehttps://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3Ehttps://lists.apache.org/thread.html/rb8ec556f176c83547b959150e2108e2ddf1d61224295941908b0a81f%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/rc89e491b5b270fb40f1210b70554527b737c217ad2e831b643ead6bc%40%3Cuser.ant.apache.org%3Ehttps://lists.apache.org/thread.html/rf07feaf78afc8f701e21948a06ef92565d3dff1242d710f4fbf900b2%40%3Cdev.creadur.apache.org%3Ehttps://lists.apache.org/thread.html/r1a9c992d7c8219dc15b4ad448649f0ffdaa88d76ef6a0035c49455f5%40%3Cdev.creadur.apache.org%3Ehttps://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e%40%3Cdev.creadur.apache.org%3Ehttps://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490%40%3Cdev.creadur.apache.org%3Ehttps://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc%40%3Cdev.creadur.apache.org%3Ehttps://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0%40%3Cdev.creadur.apache.org%3Ehttps://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305%40%3Cdev.creadur.apache.org%3Ehttps://lists.apache.org/thread.html/r3cea0f3da4f6d06d7afb6c0804da8e01773a0f50a09b8d9beb2cda65%40%3Cissues.hive.apache.org%3Ehttps://lists.apache.org/thread.html/r6030d34ceacd0098538425c5dac8251ffc7fd90b886942bc7ef87858%40%3Cnotifications.groovy.apache.org%3Ehttps://lists.apache.org/thread.html/rce099751721c26a8166d8b6578293820832831a0b2cb8d93b8efa081%40%3Cnotifications.groovy.apache.org%3Ehttps://lists.apache.org/thread.html/r6970d196cd73863dafdbc3a7052562deedd338e3bd7d73d8171d92d6%40%3Ccommits.groovy.apache.org%3Ehttps://lists.apache.org/thread.html/ra12c3e23b021f259a201648005b9946acd7f618a6f32301c97047967%40%3Cusers.groovy.apache.org%3Ehttps://lists.apache.org/thread.html/ra12c3e23b021f259a201648005b9946acd7f618a6f32301c97047967%40%3Cdev.groovy.apache.org%3Ehttps://lists.apache.org/thread.html/ra12c3e23b021f259a201648005b9946acd7f618a6f32301c97047967%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465%40%3Cnotifications.groovy.apache.org%3Ehttps://lists.apache.org/thread.html/rb860063819b9c0990e1fbce29d83f4554766fe5a05e3b3939736bf2b%40%3Ccommits.myfaces.apache.org%3Ehttps://lists.apache.org/thread.html/raaeddc41da8f3afb1cb224876084a45f68e437a0afd9889a707e4b0c%40%3Cdev.creadur.apache.org%3Ehttps://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a%40%3Cdev.creadur.apache.org%3Ehttps://usn.ubuntu.com/4380-1/https://nvd.nist.gov
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-38298CVE-2024-20356CVE-2023-21987CVE-2024-33217bypassCVE-2024-31804CVE-2024-32660unauthorizedSSRF
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook