CVE-2020-11979

Description

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

References

Mailing ListVendor Advisory
Mailing ListVendor Advisory
Mailing ListPatchVendor Advisory
Mailing ListVendor Advisory
Mailing ListVendor Advisory
Mailing ListVendor Advisory
Mailing ListThird Party Advisory
Mailing ListThird Party Advisory
Mailing ListThird Party Advisory
Third Party Advisory
PatchThird Party Advisory
Third Party Advisory
Mailing ListPatchVendor Advisory
PatchThird Party Advisory
Mailing ListPatchVendor Advisory
PatchThird Party Advisory
PatchThird Party Advisory
PatchThird Party Advisory
PatchThird Party Advisory

CvssV3 impact

BaseSeverity

HIGH

ConfidentialityImpact

NONE

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

NETWORK

AvailabilityImpact

NONE

IntegrityImpact

HIGH

PrivilegesRequired

NONE

BaseScore

7.5

VectorString

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Version

3.1

UserInteraction

NONE

CvssV2 impact

AccessComplexity

LOW

ConfidentialityImpact

NONE

AvailabilityImpact

NONE

IntegrityImpact

PARTIAL

BaseScore

5

VectorString

AV:N/AC:L/Au:N/C:N/I:P/A:N

Version

2.0

AccessVector

NETWORK

Authentication

NONE