Uploaded image for project: 'Apache Rat'
  1. Apache Rat
  2. RAT-269

Fix CVE-2020-1945: Apache Ant insecure temporary file vulnerability by updating to latest ANT

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 0.13
    • 0.14
    • None
    • None

    Description

      Update ANT to fix:

      CVE-2020-1945: Apache Ant insecure temporary file vulnerability

      Severity: Medium

      Vendor:
      The Apache Software Foundation

      Versions Affected:
      Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7

      Description:

      Apache Ant uses the default temporary directory identified by the Java
      system property java.io.tmpdir for several tasks and may thus leak
      sensitive information. The fixcrlf and replaceregexp tasks also copy
      files from the temporary directory back into the build tree allowing an
      attacker to inject modified source files into the build process.

      Mitigation:

      Ant users of versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 should set the
      java.io.tmpdir system property to point to a directory only readable and
      writable by the current user prior to running Ant.

      Users of versions 1.9.15 and 1.10.8 can use the Ant property ant.tmpfile
      instead. Users of Ant 1.10.8 can rely on Ant protecting the temporary
      files if the underlying filesystem allows it, but we still recommend
      using a private temporary directory instead.

      Credit:
      This issue was discovered by Mike Salvatore of the Ubuntu Security Team.

      References:
      https://ant.apache.org/security.html

      Attachments

        Activity

          People

            pottlinger Philipp Ottlinger
            pottlinger Philipp Ottlinger
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: