Vulnerability Details CVE-2020-11979
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 68.2%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://github.com/gradle/gradle/security/advisories/GHSA-j45w-qrgf-25vm
- https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/raaeddc41da8f3afb1cb224876084a45f68e437a0afd9889a707e4b0c%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB/
- https://security.gentoo.org/glsa/202011-18
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/gradle/gradle/security/advisories/GHSA-j45w-qrgf-25vm
- https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/raaeddc41da8f3afb1cb224876084a45f68e437a0afd9889a707e4b0c%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB/
- https://security.gentoo.org/glsa/202011-18
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Products affected by CVE-2020-11979
-
cpe:2.3:a:apache:ant:1.10.8
-
cpe:2.3:a:gradle:gradle:-
-
cpe:2.3:a:gradle:gradle:0.1
-
cpe:2.3:a:gradle:gradle:0.1.1
-
cpe:2.3:a:gradle:gradle:0.1.2
-
cpe:2.3:a:gradle:gradle:0.1.3
-
cpe:2.3:a:gradle:gradle:0.1.4
-
cpe:2.3:a:gradle:gradle:0.2
-
cpe:2.3:a:gradle:gradle:0.3
-
cpe:2.3:a:gradle:gradle:0.4
-
cpe:2.3:a:gradle:gradle:0.5
-
cpe:2.3:a:gradle:gradle:0.5.1
-
cpe:2.3:a:gradle:gradle:0.5.2
-
cpe:2.3:a:gradle:gradle:0.6
-
cpe:2.3:a:gradle:gradle:0.6.1
-
cpe:2.3:a:gradle:gradle:0.7
-
cpe:2.3:a:gradle:gradle:0.8
-
cpe:2.3:a:gradle:gradle:0.9
-
cpe:2.3:a:gradle:gradle:0.9.1
-
cpe:2.3:a:gradle:gradle:0.9.2
-
cpe:2.3:a:gradle:gradle:1.0
-
cpe:2.3:a:gradle:gradle:1.1
-
cpe:2.3:a:gradle:gradle:1.10
-
cpe:2.3:a:gradle:gradle:1.11
-
cpe:2.3:a:gradle:gradle:1.12
-
cpe:2.3:a:gradle:gradle:1.2
-
cpe:2.3:a:gradle:gradle:1.3
-
cpe:2.3:a:gradle:gradle:1.3.1
-
cpe:2.3:a:gradle:gradle:1.4
-
cpe:2.3:a:gradle:gradle:1.5
-
cpe:2.3:a:gradle:gradle:1.6
-
cpe:2.3:a:gradle:gradle:1.7
-
cpe:2.3:a:gradle:gradle:1.8
-
cpe:2.3:a:gradle:gradle:1.9
-
cpe:2.3:a:gradle:gradle:2.0
-
cpe:2.3:a:gradle:gradle:2.1
-
cpe:2.3:a:gradle:gradle:2.10
-
cpe:2.3:a:gradle:gradle:2.11
-
cpe:2.3:a:gradle:gradle:2.12
-
cpe:2.3:a:gradle:gradle:2.13
-
cpe:2.3:a:gradle:gradle:2.14
-
cpe:2.3:a:gradle:gradle:2.14.1
-
cpe:2.3:a:gradle:gradle:2.2
-
cpe:2.3:a:gradle:gradle:2.2.1
-
cpe:2.3:a:gradle:gradle:2.3
-
cpe:2.3:a:gradle:gradle:2.4
-
cpe:2.3:a:gradle:gradle:2.5
-
cpe:2.3:a:gradle:gradle:2.6
-
cpe:2.3:a:gradle:gradle:2.7
-
cpe:2.3:a:gradle:gradle:2.8
-
cpe:2.3:a:gradle:gradle:2.9
-
cpe:2.3:a:gradle:gradle:3.0.0
-
cpe:2.3:a:gradle:gradle:3.1.0
-
cpe:2.3:a:gradle:gradle:3.2.0
-
cpe:2.3:a:gradle:gradle:3.2.1
-
cpe:2.3:a:gradle:gradle:3.3.0
-
cpe:2.3:a:gradle:gradle:3.4.0
-
cpe:2.3:a:gradle:gradle:3.4.1
-
cpe:2.3:a:gradle:gradle:3.5.0
-
cpe:2.3:a:gradle:gradle:3.5.1
-
cpe:2.3:a:gradle:gradle:4.0.0
-
cpe:2.3:a:gradle:gradle:4.0.1
-
cpe:2.3:a:gradle:gradle:4.0.2
-
cpe:2.3:a:gradle:gradle:4.1.0
-
cpe:2.3:a:gradle:gradle:4.10.0
-
cpe:2.3:a:gradle:gradle:4.10.1
-
cpe:2.3:a:gradle:gradle:4.10.2
-
cpe:2.3:a:gradle:gradle:4.10.3
-
cpe:2.3:a:gradle:gradle:4.2.0
-
cpe:2.3:a:gradle:gradle:4.2.1
-
cpe:2.3:a:gradle:gradle:4.3.0
-
cpe:2.3:a:gradle:gradle:4.3.1
-
cpe:2.3:a:gradle:gradle:4.4.0
-
cpe:2.3:a:gradle:gradle:4.4.1
-
cpe:2.3:a:gradle:gradle:4.5.0
-
cpe:2.3:a:gradle:gradle:4.5.1
-
cpe:2.3:a:gradle:gradle:4.6.0
-
cpe:2.3:a:gradle:gradle:4.7.0
-
cpe:2.3:a:gradle:gradle:4.8.0
-
cpe:2.3:a:gradle:gradle:4.8.1
-
cpe:2.3:a:gradle:gradle:4.9.0
-
cpe:2.3:a:gradle:gradle:5.0.0
-
cpe:2.3:a:gradle:gradle:5.1.0
-
cpe:2.3:a:gradle:gradle:5.1.1
-
cpe:2.3:a:gradle:gradle:5.2.0
-
cpe:2.3:a:gradle:gradle:5.2.1
-
cpe:2.3:a:gradle:gradle:5.3.0
-
cpe:2.3:a:gradle:gradle:5.4.0
-
cpe:2.3:a:gradle:gradle:5.4.1
-
cpe:2.3:a:gradle:gradle:5.5.0
-
cpe:2.3:a:gradle:gradle:5.5.1
-
cpe:2.3:a:gradle:gradle:5.6
-
cpe:2.3:a:gradle:gradle:5.6.0
-
cpe:2.3:a:gradle:gradle:5.6.1
-
cpe:2.3:a:gradle:gradle:5.6.2
-
cpe:2.3:a:gradle:gradle:5.6.3
-
cpe:2.3:a:gradle:gradle:5.6.4
-
cpe:2.3:a:gradle:gradle:6.0
-
cpe:2.3:a:gradle:gradle:6.0.0
-
cpe:2.3:a:gradle:gradle:6.0.1
-
cpe:2.3:a:gradle:gradle:6.1.0
-
cpe:2.3:a:gradle:gradle:6.1.1
-
cpe:2.3:a:gradle:gradle:6.2.0
-
cpe:2.3:a:gradle:gradle:6.2.1
-
cpe:2.3:a:gradle:gradle:6.2.2
-
cpe:2.3:a:gradle:gradle:6.3.0
-
cpe:2.3:a:gradle:gradle:6.4.0
-
cpe:2.3:a:gradle:gradle:6.4.1
-
cpe:2.3:a:gradle:gradle:6.5.0
-
cpe:2.3:a:gradle:gradle:6.5.1
-
cpe:2.3:a:gradle:gradle:6.6.0
-
cpe:2.3:a:gradle:gradle:6.6.1
-
cpe:2.3:a:gradle:gradle:6.7.0
-
cpe:2.3:a:gradle:gradle:6.7.1
-
cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0
-
cpe:2.3:a:oracle:api_gateway:11.1.2.4.0
-
cpe:2.3:a:oracle:banking_platform:2.4.0
-
cpe:2.3:a:oracle:banking_platform:2.4.1
-
cpe:2.3:a:oracle:banking_platform:2.6.2
-
cpe:2.3:a:oracle:banking_platform:2.7.0
-
cpe:2.3:a:oracle:banking_platform:2.7.1
-
cpe:2.3:a:oracle:banking_platform:2.8.0
-
cpe:2.3:a:oracle:banking_treasury_management:14.4
-
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0
-
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1
-
cpe:2.3:a:oracle:data_integrator:12.2.1.3.0
-
cpe:2.3:a:oracle:data_integrator:12.2.1.4.0
-
cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0.0
-
cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.0.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.0.1
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.1.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.2.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.3.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.6.4.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.0.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.1.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.2.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8.0.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0
-
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1
-
cpe:2.3:a:oracle:flexcube_private_banking:12.0.0
-
cpe:2.3:a:oracle:flexcube_private_banking:12.1.0
-
cpe:2.3:a:oracle:primavera_gateway:16.2.0
-
cpe:2.3:a:oracle:primavera_gateway:16.2.11
-
cpe:2.3:a:oracle:primavera_gateway:17.12.0
-
cpe:2.3:a:oracle:primavera_gateway:17.12.6
-
cpe:2.3:a:oracle:primavera_gateway:17.12.7
-
cpe:2.3:a:oracle:primavera_gateway:17.12.8
-
cpe:2.3:a:oracle:primavera_gateway:17.12.9
-
cpe:2.3:a:oracle:primavera_unifier:16.1
-
cpe:2.3:a:oracle:primavera_unifier:16.2
-
cpe:2.3:a:oracle:primavera_unifier:17.10
-
cpe:2.3:a:oracle:primavera_unifier:17.11
-
cpe:2.3:a:oracle:primavera_unifier:17.12
-
cpe:2.3:a:oracle:primavera_unifier:17.7
-
cpe:2.3:a:oracle:primavera_unifier:17.8
-
cpe:2.3:a:oracle:primavera_unifier:17.9
-
cpe:2.3:a:oracle:primavera_unifier:18.8
-
cpe:2.3:a:oracle:primavera_unifier:19.12
-
cpe:2.3:a:oracle:primavera_unifier:20.12
-
cpe:2.3:a:oracle:real-time_decision_server:11.1.1.9.0
-
cpe:2.3:a:oracle:real-time_decision_server:3.2.0.0
-
cpe:2.3:a:oracle:retail_advanced_inventory_planning:14.1
-
cpe:2.3:a:oracle:retail_assortment_planning:16.0.3
-
cpe:2.3:a:oracle:retail_category_management_planning_&_optimization:16.0.3
-
cpe:2.3:a:oracle:retail_eftlink:19.0.1
-
cpe:2.3:a:oracle:retail_eftlink:20.0.0
-
cpe:2.3:a:oracle:retail_financial_integration:14.1.3
-
cpe:2.3:a:oracle:retail_financial_integration:15.0.3
-
cpe:2.3:a:oracle:retail_financial_integration:16.0.3
-
cpe:2.3:a:oracle:retail_integration_bus:15.0.3
-
cpe:2.3:a:oracle:retail_item_planning:16.0.3
-
cpe:2.3:a:oracle:retail_macro_space_optimization:16.0.3
-
cpe:2.3:a:oracle:retail_merchandise_financial_planning:16.0.3
-
cpe:2.3:a:oracle:retail_merchandising_system:14.1.3.2
-
cpe:2.3:a:oracle:retail_merchandising_system:16.0.3
-
cpe:2.3:a:oracle:retail_predictive_application_server:14.1
-
cpe:2.3:a:oracle:retail_regular_price_optimization:16.0.3
-
cpe:2.3:a:oracle:retail_replenishment_optimization:16.0.3
-
cpe:2.3:a:oracle:retail_service_backbone:14.1.3
-
cpe:2.3:a:oracle:retail_service_backbone:15.0.3
-
cpe:2.3:a:oracle:retail_service_backbone:16.0.3
-
cpe:2.3:a:oracle:retail_size_profile_optimization:16.0.3
-
cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3.9
-
cpe:2.3:a:oracle:retail_store_inventory_management:15.0.3.0
-
cpe:2.3:a:oracle:retail_store_inventory_management:16.0.3.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.4
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2
-
cpe:2.3:a:oracle:storagetek_acsls:8.5.1
-
cpe:2.3:a:oracle:storagetek_tape_analytics:2.4
-
cpe:2.3:a:oracle:timesten_in-memory_database:-
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0
-
cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0
-
cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0
-
cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0
-
cpe:2.3:o:fedoraproject:fedora:31
-
cpe:2.3:o:fedoraproject:fedora:32
-
cpe:2.3:o:fedoraproject:fedora:33