Insecure Temporary File Vulnerability in Apache Ant
CVE-2020-1945

6.3MEDIUM

Key Information:

Vendor
Apache
Status
Apache Ant
Vendor
CVE Published:
14 May 2020

Summary

Apache Ant versions from 1.1 to 1.9.14 and from 1.10.0 to 1.10.7 utilize the default temporary directory defined by the Java property java.io.tmpdir for various operations. This practice poses a risk of leaking sensitive user information. Furthermore, tasks such as fixcrlf and replaceregexp can inadvertently copy files from this insecure temporary directory back into the build environment, enabling a potential attacker to inject altered source files into the build process. This flaw underscores the importance of secure file handling practices within development tools.

Affected Version(s)

Apache Ant Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7

References

https://lists.apache.org/thread.html/rda80ac59119558eaec4...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rfd346609527a79662c4...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/re1ce84518d773a94a61...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.