Vulnerability Description
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Ant | >= 1.1, <= 1.9.14 |
| Canonical | Ubuntu Linux | 19.10 |
| Fedoraproject | Fedora | 31 |
| Opensuse | Leap | 15.2 |
| Oracle | Agile Engineering Data Management | 6.2.1.0 |
| Oracle | Banking Enterprise Collections | >= 2.7.0, <= 2.9.0 |
| Oracle | Banking Liquidity Management | >= 14.0.0, <= 14.4.0 |
| Oracle | Banking Platform | >= 2.4.0, <= 2.9.0 |
| Oracle | Business Process Management Suite | 12.2.1.3.0 |
| Oracle | Category Management Planning \& Optimization | 15.0.3 |
| Oracle | Communications Asap | 7.3 |
| Oracle | Communications Diameter Signaling Router | >= 8.0.0, <= 8.2.2 |
| Oracle | Communications Metasolv Solution | 6.3.0 |
| Oracle | Communications Order And Service Management | 7.3 |
| Oracle | Data Integrator | 12.2.1.3.0 |
| Oracle | Endeca Information Discovery Studio | 3.2.0 |
| Oracle | Enterprise Manager Ops Center | 12.4.0.0 |
| Oracle | Enterprise Repository | 11.1.1.7.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6, <= 8.1.0 |
| Oracle | Flexcube Investor Servicing | 12.1.0 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00053.htmlMailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2020/09/30/6Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2020/12/06/1Mailing ListThird Party Advisory
- https://lists.apache.org/thread.html/r0d08a96ba9de8aa435f32944e8b2867c368a518d4f
- https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae
- https://lists.apache.org/thread.html/r1863b9ce4c3e4b1e5b0c671ad05545ba3eb8399616
- https://lists.apache.org/thread.html/r1a9c992d7c8219dc15b4ad448649f0ffdaa88d76ef
- https://lists.apache.org/thread.html/r1b32c76afffcf676e13ed635a3332f3e46e6aaa772
- https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa69
- https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e84673881
- https://lists.apache.org/thread.html/r2704fb14ce068c64759a986f81d5b5e42ab434fa13
- https://lists.apache.org/thread.html/r3cea0f3da4f6d06d7afb6c0804da8e01773a0f50a0
- https://lists.apache.org/thread.html/r4b2904d64affd4266cd72ccb2fc3927c1c2f22009f
- https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2c
- https://lists.apache.org/thread.html/r5dfc77048b1f9db26622dce91a6edf083d49939725
FAQ
What is CVE-2020-1945?
CVE-2020-1945 is a vulnerability with a CVSS score of 6.3 (MEDIUM). Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The ...
How severe is CVE-2020-1945?
CVE-2020-1945 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-1945?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Ant, Canonical Ubuntu Linux, Fedoraproject Fedora, Opensuse Leap, Oracle Agile Engineering Data Management.