CVE-2020-11979

Aliases:GHSA-f62v-xpxf-3v68BIT-gradle-2020-11979
Advisory lineage Upstream: 0 Downstream: 8
Modified
Published: 01 Oct 2020, 19:24
Last modified:04 Aug 2024, 11:48

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
1.1% LOW
1% probability -0.02%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

01 Oct 2020, 19:24
Published
Vulnerability first disclosed
04 Aug 2024, 11:48
Last Modified
Vulnerability information updated

Description

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • v2.0MEDIUMScore: 5AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 1.10% Percentile: 78%

Techniques & Countermeasures

  • CWE-379Creation of Temporary File in Directory with Insecure Permissions

    The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

Affected Systems

  • apacheant

    1.10.8

  • fedoraprojectfedora

    31 | 32 | 33

  • gradlegradle

    < 6.8.0

  • org.apache.antant

    < 1.10.9

  • oracleagile_engineering_data_management

    6.2.1.0

  • oracleapi_gateway

    11.1.2.4.0

  • oraclebanking_platform

    2.4.0 | 2.4.1 | 2.6.2 | 2.7.0 | 2.7.1 | 2.8.0

  • oraclebanking_treasury_management

    14.4

  • oraclecommunications_unified_inventory_management

    7.4.0 | 7.4.1

  • oracledata_integrator

    12.2.1.3.0 | 12.2.1.4.0

  • oracleendeca_information_discovery_studio

    3.2.0.0

  • oracleenterprise_repository

    11.1.1.7.0

  • oraclefinancial_services_analytical_applications_infrastructure

    ≥ 8.0.6, ≤ 8.0.9 | 8.1.0 | 8.1.1

  • oracleflexcube_private_banking

    12.0.0 | 12.1.0

  • oracleprimavera_gateway

    ≥ 16.2.0, ≤ 16.2.11 | ≥ 17.12.0, ≤ 17.12.9

  • oracleprimavera_unifier

    ≥ 17.7, ≤ 17.12 | 16.1 | 16.2 | 18.8 | 19.12 | 20.12

  • oraclereal-time_decision_server

    3.2.0.0 | 11.1.1.9.0

  • oracleretail_advanced_inventory_planning

    14.1

  • oracleretail_assortment_planning

    16.0.3

  • oracleretail_category_management_planning_\&_optimization

    16.0.3

  • oracleretail_eftlink

    19.0.1 | 20.0.0

  • oracleretail_financial_integration

    14.1.3 | 15.0.3 | 16.0.3

  • oracleretail_integration_bus

    15.0.3

  • oracleretail_item_planning

    16.0.3

  • oracleretail_macro_space_optimization

    16.0.3

  • oracleretail_merchandise_financial_planning

    16.0.3

  • oracleretail_merchandising_system

    14.1.3.2 | 16.0.3

  • oracleretail_predictive_application_server

    14.1

  • oracleretail_regular_price_optimization

    16.0.3

  • oracleretail_replenishment_optimization

    16.0.3

  • oracleretail_service_backbone

    14.1.3 | 15.0.3 | 16.0.3

  • oracleretail_size_profile_optimization

    16.0.3

  • oracleretail_store_inventory_management

    14.1.3.9 | 15.0.3.0 | 16.0.3.0

  • oracleretail_xstore_point_of_service

    15.0.4 | 16.0.6 | 17.0.4 | 18.0.3 | 19.0.2

  • oraclestoragetek_acsls

    8.5.1

  • oraclestoragetek_tape_analytics

    2.4

  • oracletimesten_in-memory_database

    < 11.2.2.8.27

  • oracleutilities_framework

    4.3.0.5.0 | 4.3.0.6.0 | 4.4.0.0.0 | 4.4.0.2.0

References (32)