Lucene search

K
ubuntucveUbuntu.comUB:CVE-2020-11979
HistoryOct 01, 2020 - 12:00 a.m.

CVE-2020-11979

2020-10-0100:00:00
ubuntu.com
ubuntu.com
18
apache ant
cve-2020-1945
mitigation
temporary files
access permissions
fixcrlf task
attacker
source files
build process
unix

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

58.7%

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions
of temporary files it created so that only the current user was allowed to
access them. Unfortunately the fixcrlf task deleted the temporary file and
created a new one without said protection, effectively nullifying the
effort. This would still allow an attacker to inject modified source files
into the build process.

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

58.7%