Vulnerability Description
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Ant | 1.10.8 |
| Gradle | Gradle | < 6.8.0 |
| Fedoraproject | Fedora | 31 |
| Oracle | Agile Engineering Data Management | 6.2.1.0 |
| Oracle | Api Gateway | 11.1.2.4.0 |
| Oracle | Banking Platform | 2.4.0 |
| Oracle | Banking Treasury Management | 14.4 |
| Oracle | Communications Unified Inventory Management | 7.4.0 |
| Oracle | Data Integrator | 12.2.1.3.0 |
| Oracle | Endeca Information Discovery Studio | 3.2.0.0 |
| Oracle | Enterprise Repository | 11.1.1.7.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6, <= 8.0.9 |
| Oracle | Flexcube Private Banking | 12.0.0 |
| Oracle | Primavera Gateway | >= 16.2.0, <= 16.2.11 |
| Oracle | Primavera Unifier | >= 17.7, <= 17.12 |
| Oracle | Real-Time Decision Server | 3.2.0.0 |
| Oracle | Retail Advanced Inventory Planning | 14.1 |
| Oracle | Retail Assortment Planning | 16.0.3 |
| Oracle | Retail Category Management Planning \& Optimization | 16.0.3 |
| Oracle | Retail Eftlink | 19.0.1 |
Related Weaknesses (CWE)
References
- https://github.com/gradle/gradle/security/advisories/GHSA-j45w-qrgf-25vmThird Party Advisory
- https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae
- https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa69
- https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e84673881
- https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2c
- https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d66
- https://lists.apache.org/thread.html/raaeddc41da8f3afb1cb224876084a45f68e437a0af
- https://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3a
- https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e9Mailing ListVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202011-18Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
FAQ
What is CVE-2020-11979?
CVE-2020-11979 is a vulnerability with a CVSS score of 7.5 (HIGH). As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted...
How severe is CVE-2020-11979?
CVE-2020-11979 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11979?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Ant, Gradle Gradle, Fedoraproject Fedora, Oracle Agile Engineering Data Management, Oracle Api Gateway.