Lucene search

K
gentooGentoo FoundationGLSA-202011-18
HistoryNov 16, 2020 - 12:00 a.m.

Apache Ant: Insecure temporary file

2020-11-1600:00:00
Gentoo Foundation
security.gentoo.org
45
apache ant
incomplete fix
insecure temporary files
symlink attacks
arbitrary file overwriting
upgrade

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.8

Confidence

High

EPSS

0.002

Percentile

58.7%

Background

Ant is a Java-based build tool similar to ‘make’ that uses XML configuration files.

Description

A previous fix for a security vulnerability involving insecure temporary files has been found to be incomplete.

Impact

A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application.

Workaround

There is no known workaround at this time.

Resolution

All Apache Ant users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-java/ant-1.10.9"
OSVersionArchitecturePackageVersionFilename
Gentooanyalldev-java/ant< 1.10.9UNKNOWN

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.8

Confidence

High

EPSS

0.002

Percentile

58.7%