Permission Vulnerability in Apache Ant Leading to Potential Source File Injection
CVE-2020-11979

7.5HIGH

Key Information:

Vendor
Apache
Status
Apache Ant
Vendor
CVE Published:
1 October 2020

Summary

A flaw in Apache Ant allows for the deletion of temporary files without protective permissions. The fix for a previous vulnerability inadvertently opens a path for attackers to inject modified source files into the build process. This can compromise the integrity of the software being built, raising significant security concerns for developers relying on Apache Ant in their CI/CD pipelines.

Affected Version(s)

Apache Ant Apache Ant 1.10.8

References

https://lists.apache.org/thread.html/rc3c8ef9724b5b1e1715...
x_refsource_MISC
https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r4ca33fad3fb39d130cd...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.