CVE-2020-1945
MEDIUMCVSS 6.3/10EPSS 1.79%
Last modified
CVE-2020-1945 is a medium-severity vulnerability rated 6.3/10 on the CVSS scale. Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.. EPSS estimates a 1.79% chance of exploitation in the next 30 days.
Description
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
Metrics
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Ant | >= 1.1, <= 1.9.14 |
| Apache | Ant | >= 1.10.0, <= 1.10.7 |
| Canonical | Ubuntu Linux | 19.10 |
| Fedoraproject | Fedora | 31 |
| Fedoraproject | Fedora | 32 |
| Opensuse | Leap | 15.2 |
| Oracle | Agile Engineering Data Management | 6.2.1.0 |
| Oracle | Banking Enterprise Collections | >= 2.7.0, <= 2.9.0 |
| Oracle | Banking Liquidity Management | >= 14.0.0, <= 14.4.0 |
| Oracle | Banking Platform | >= 2.4.0, <= 2.9.0 |
| Oracle | Business Process Management Suite | 12.2.1.3.0 |
| Oracle | Business Process Management Suite | 12.2.1.4.0 |
| Oracle | Category Management Planning \& Optimization | 15.0.3 |
| Oracle | Communications Asap | 7.3 |
| Oracle | Communications Diameter Signaling Router | >= 8.0.0, <= 8.2.2 |
| Oracle | Communications Metasolv Solution | 6.3.0 |
| Oracle | Communications Order And Service Management | 7.3 |
| Oracle | Communications Order And Service Management | 7.4 |
| Oracle | Data Integrator | 12.2.1.3.0 |
| Oracle | Data Integrator | 12.2.1.4.0 |
| Oracle | Endeca Information Discovery Studio | 3.2.0 |
| Oracle | Enterprise Manager Ops Center | 12.4.0.0 |
| Oracle | Enterprise Repository | 11.1.1.7.0 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 8.0.6, <= 8.1.0 |
| Oracle | Flexcube Investor Servicing | 12.1.0 |
| Oracle | Flexcube Investor Servicing | 12.3.0 |
| Oracle | Flexcube Investor Servicing | 12.4.0 |
| Oracle | Flexcube Investor Servicing | 14.0.0 |
| Oracle | Flexcube Investor Servicing | 14.1.0 |
| Oracle | Flexcube Private Banking | 12.0.0 |
| Oracle | Flexcube Private Banking | 12.1.0 |
| Oracle | Health Sciences Information Manager | >= 3.0, <= 3.0.2 |
| Oracle | Primavera Gateway | >= 16.2.0, <= 16.2.11 |
| Oracle | Primavera Gateway | >= 17.12.0, <= 17.12.7 |
| Oracle | Primavera Unifier | >= 17.7, <= 17.12 |
| Oracle | Primavera Unifier | 16.1 |
| Oracle | Primavera Unifier | 16.2 |
| Oracle | Primavera Unifier | 18.8 |
| Oracle | Primavera Unifier | 19.12 |
| Oracle | Rapid Planning | 12.1 |
| Oracle | Rapid Planning | 12.2 |
| Oracle | Real-Time Decision Server | 3.2.1.0 |
| Oracle | Retail Advanced Inventory Planning | 14.1 |
| Oracle | Retail Advanced Inventory Planning | 15.0 |
| Oracle | Retail Advanced Inventory Planning | 16.0 |
| Oracle | Retail Assortment Planning | 15.0.3 |
| Oracle | Retail Assortment Planning | 16.0.3 |
| Oracle | Retail Back Office | 14.0 |
| Oracle | Retail Back Office | 14.1 |
| Oracle | Retail Bulk Data Integration | 15.0 |
Showing 50 of 117 affected configurations. See NVD for the full list.
References
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00053.htmlMailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2020/09/30/6Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2020/12/06/1Mailing List, Third Party Advisory
- https://security.gentoo.org/glsa/202007-34Third Party Advisory
- https://usn.ubuntu.com/4380-1/Mailing List, Vendor Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00053.htmlMailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2020/09/30/6Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2020/12/06/1Mailing List, Third Party Advisory
- https://security.gentoo.org/glsa/202007-34Third Party Advisory
- https://usn.ubuntu.com/4380-1/Mailing List, Vendor Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-1945?
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
How severe is CVE-2020-1945?
CVE-2020-1945 has a CVSS score of 6.3/10 (MEDIUM severity). The EPSS model estimates a 1.79% probability of exploitation in the next 30 days.
How do I fix CVE-2020-1945?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2020-1945?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST