CVE-2020-1945

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.

From the Ubuntu Security Team

It was discovered that Apache Ant created temporary files with insecure permissions. An attacker could use this vulnerability to read sensitive information leaked into /tmp, or potentially inject malicious code into a project that is built with Apache Ant.

Read the notes from the security team

Mitigation

Set the java.io.tmpdir property of the JVM to point to a directory that is not world read/writable.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
ant	24.04 LTS noble	Not affected
	23.10 mantic	Not affected
	23.04 lunar	Not affected
	22.10 kinetic	Not affected
	22.04 LTS jammy	Not affected
	21.10 impish	Not affected
	21.04 hirsute	Not affected
	20.10 groovy	Not affected
	20.04 LTS focal	Fixed 1.10.7-1ubuntu0.1~esm1 Ubuntu Pro
	19.10 eoan	Fixed 1.10.6-1ubuntu0.1
	18.04 LTS bionic	Fixed 1.10.5-3~18.04.1~esm1 Ubuntu Pro
	16.04 LTS xenial	Fixed 1.9.6-1ubuntu1.1+esm1 Ubuntu Pro
	14.04 LTS trusty	Fixed 1.9.3-2ubuntu0.1+esm1 Ubuntu Pro

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Notes

msalvatore

There are two potential mitigations for this vulnerability. 1) Set your umask to 077. 2) Set your JVM's java.io.tmpdir system property to a directory only readable and writable by the current user running Ant. The fix for this CVE is incomplete. CVE-2020-11979 finishes resolving the issue.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
ant	Upstream: https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=9c1f4d905da59bf446570ac28df5b68a37281f35 Upstream: https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=926f339ea30362bec8e53bf5924ce803938163b7 Upstream: https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=041b058c7bf10a94d56db3ca9dba38cf90ab9943 Upstream: https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=a8645a151bc706259fb1789ef587d05482d98612

Package

Patch details

ant

Severity score breakdown

Parameter	Value
Base score	6.3 · Medium
Attack vector	Local
Attack complexity	High
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	None
Vector	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Cvss 3 Severity Score

From the Ubuntu Security Team

Mitigation

Status

Get expanded security coverage with Ubuntu Pro

Notes

msalvatore

Patch details

Severity score breakdown

References

Related Ubuntu Security Notices (USN)

Other references