CVE-2020-11979: Code Injection
First published: Thu Oct 01 2020(Updated: )
Apache Ant could allow a remote authenticated attacker to bypass security restrictions, caused by an insecure temporary file flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to inject modified source files into the build process.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <0:2.263.3.1612433584-1.el7 | 0:2.263.3.1612433584-1.el7 |
| redhat/conmon | <2:2.0.21-1.rhaos4.5.el7 | 2:2.0.21-1.rhaos4.5.el7 |
| redhat/jenkins | <0:2.263.3.1612434332-1.el7 | 0:2.263.3.1612434332-1.el7 |
| redhat/machine-config-daemon | <0:4.5.0-202102050524.p0.git.2594.ff3b8c0.el8 | 0:4.5.0-202102050524.p0.git.2594.ff3b8c0.el8 |
| redhat/openshift | <0:4.5.0-202102050524.p0.git.0.9229406.el7 | 0:4.5.0-202102050524.p0.git.0.9229406.el7 |
| redhat/openshift-ansible | <0:4.5.0-202102031005.p0.git.0.c6839a2.el7 | 0:4.5.0-202102031005.p0.git.0.c6839a2.el7 |
| redhat/openshift-clients | <0:4.5.0-202102051529.p0.git.3612.61b096a.el7 | 0:4.5.0-202102051529.p0.git.3612.61b096a.el7 |
| redhat/runc | <0:1.0.0-72.rhaos4.5.giteadfc6b.el8 | 0:1.0.0-72.rhaos4.5.giteadfc6b.el8 |
| redhat/jenkins | <0:2.263.3.1612434510-1.el8 | 0:2.263.3.1612434510-1.el8 |
| redhat/ant | <1.10.9 | 1.10.9 |
| maven/org.apache.ant:ant | =1.10.8 | 1.10.9 |
| Apache Ant | =1.10.8 | |
| Gradle | <6.8.0 | |
| Fedora | =31 | |
| Fedora | =32 | |
| Fedora | =33 | |
| Oracle Agile Engineering Data Management | =6.2.1.0 | |
| Oracle API Gateway | =11.1.2.4.0 | |
| oracle banking platform | =2.4.0 | |
| oracle banking platform | =2.4.1 | |
| oracle banking platform | =2.6.2 | |
| oracle banking platform | =2.7.0 | |
| oracle banking platform | =2.7.1 | |
| oracle banking platform | =2.8.0 | |
| Oracle Banking Treasury Management | =14.4 | |
| Oracle Communications Unified Inventory Management | =7.4.0 | |
| Oracle Communications Unified Inventory Management | =7.4.1 | |
| Oracle Data Integrator | =12.2.1.3.0 | |
| Oracle Data Integrator | =12.2.1.4.0 | |
| Oracle Endeca Information Discovery Studio | =3.2.0.0 | |
| Oracle Enterprise Repository | =11.1.1.7.0 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.6<=8.0.9 | |
| Oracle Financial Services Analytical Applications Infrastructure | =8.1.0 | |
| Oracle Financial Services Analytical Applications Infrastructure | =8.1.1 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| oracle primavera gateway | >=16.2.0<=16.2.11 | |
| oracle primavera gateway | >=17.12.0<=17.12.9 | |
| Oracle Primavera Unifier | >=17.7<=17.12 | |
| Oracle Primavera Unifier | =16.1 | |
| Oracle Primavera Unifier | =16.2 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Primavera Unifier | =20.12 | |
| Oracle Real-Time Decisions | =3.2.0.0 | |
| Oracle Real-Time Decisions | =11.1.1.9.0 | |
| Oracle Retail Advanced Inventory Planning | =14.1 | |
| Oracle Retail Assortment Planning | =16.0.3 | |
| oracle retail category management planning \& optimization | =16.0.3 | |
| Oracle Retail EFTLink | =19.0.1 | |
| Oracle Retail EFTLink | =20.0.0 | |
| oracle retail financial integration | =14.1.3 | |
| oracle retail financial integration | =15.0.3 | |
| oracle retail financial integration | =16.0.3 | |
| Oracle Retail Integration Bus | =15.0.3 | |
| oracle retail item planning | =16.0.3 | |
| oracle retail macro space optimization | =16.0.3 | |
| oracle retail merchandise financial planning | =16.0.3 | |
| Oracle Retail Merchandising System | =14.1.3.2 | |
| Oracle Retail Merchandising System | =16.0.3 | |
| Oracle Retail Predictive Application Server | =14.1 | |
| oracle retail regular price optimization | =16.0.3 | |
| oracle retail replenishment optimization | =16.0.3 | |
| Oracle Retail Service Backbone | =14.1.3 | |
| Oracle Retail Service Backbone | =15.0.3 | |
| Oracle Retail Service Backbone | =16.0.3 | |
| oracle retail size profile optimization | =16.0.3 | |
| Oracle Retail Store Inventory Management | =14.1.3.9 | |
| Oracle Retail Store Inventory Management | =15.0.3.0 | |
| Oracle Retail Store Inventory Management | =16.0.3.0 | |
| Oracle Retail Xstore Office Cloud Service | =15.0.4 | |
| Oracle Retail Xstore Office Cloud Service | =16.0.6 | |
| Oracle Retail Xstore Office Cloud Service | =17.0.4 | |
| Oracle Retail Xstore Office Cloud Service | =18.0.3 | |
| Oracle Retail Xstore Office Cloud Service | =19.0.2 | |
| oracle storagetek acsls | =8.5.1 | |
| Oracle Storagetek Tape Analytics | =2.4 | |
| Oracle TimesTen In-Memory Database | <11.2.2.8.27 | |
| Oracle Utilities Framework | =4.3.0.5.0 | |
| Oracle Utilities Framework | =4.3.0.6.0 | |
| Oracle Utilities Framework | =4.4.0.0.0 | |
| Oracle Utilities Framework | =4.4.0.2.0 | |
| IBM Cognos Controller | <=11.0.0 - 11.0.1 FP3 | |
| IBM Cognos Controller | <=11.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-11979 https://nvd.nist.gov/vuln/detail/CVE-2020-11979 https://security.gentoo.org/glsa/202011-18
- https://bugzilla.redhat.com/show_bug.cgi?id=1903702
- https://access.redhat.com/errata/RHSA-2021:0637
- https://access.redhat.com/errata/RHSA-2021:0429
- https://access.redhat.com/errata/RHSA-2021:0423
- https://access.redhat.com/security/cve/cve-2020-11979
- https://access.redhat.com/security/cve/CVE-2020-1945
- https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB/
- https://security.gentoo.org/glsa/202011-18
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1903704
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1903705
- https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated
- https://nvd.nist.gov/vuln/detail/CVE-2020-11979
- https://github.com/apache/ant/commit/87ac51d3c22bcf7cfd0dc07cb0bd04a496e0d428
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://github.com/gradle/gradle/security/advisories/GHSA-j45w-qrgf-25vm
- https://lists.apache.org/thread.html/raaeddc41da8f3afb1cb224876084a45f68e437a0afd9889a707e4b0c@%3Cdev.creadur.apache.org%3E
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a@%3Cdev.creadur.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI
- https://github.com/advisories/GHSA-f62v-xpxf-3v68 (Advisory)
- https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305%40%3Cdev.creadur.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS/
- https://lists.apache.org/thread.html/raaeddc41da8f3afb1cb224876084a45f68e437a0afd9889a707e4b0c%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a%40%3Cdev.creadur.apache.org%3E
- https://www.ibm.com/support/pages/node/7183597 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2020-11979?
The severity of CVE-2020-11979 is rated as medium.
How do I fix CVE-2020-11979?
You can fix CVE-2020-11979 by updating to the patched versions of the affected packages, such as Jenkins 2.263.3.1612433584-1.el7 or Apache Ant 1.10.9.
What are the affected software versions for CVE-2020-11979?
Affected software versions include Apache Ant 1.10.8, Jenkins 2.263.3.1612433584-1.el7, and several other Red Hat packages.
Who is impacted by CVE-2020-11979?
Users of the affected versions of Apache Ant and Jenkins on Red Hat systems are impacted by CVE-2020-11979.
What type of vulnerability is CVE-2020-11979?
CVE-2020-11979 is a security vulnerability related to improper protections on temporary files created during a task.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-11979
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-f62v-xpxf-3v68
- agent/weakness
- agent/severity
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/references
- agent/last-modified-date
- agent/source
- agent/description
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/redhat
- package-manager/maven
- vendor/apache
- canonical/apache ant
- version/apache ant/1.10.8
- vendor/gradle
- canonical/gradle
- vendor/fedoraproject
- canonical/fedora
- version/fedora/31
- version/fedora/32
- version/fedora/33
- vendor/oracle
- canonical/oracle agile engineering data management
- version/oracle agile engineering data management/6.2.1.0
- canonical/oracle api gateway
- version/oracle api gateway/11.1.2.4.0
- canonical/oracle banking platform
- version/oracle banking platform/2.4.0
- version/oracle banking platform/2.4.1
- version/oracle banking platform/2.6.2
- version/oracle banking platform/2.7.0
- version/oracle banking platform/2.7.1
- version/oracle banking platform/2.8.0
- canonical/oracle banking treasury management
- version/oracle banking treasury management/14.4
- canonical/oracle communications unified inventory management
- version/oracle communications unified inventory management/7.4.0
- version/oracle communications unified inventory management/7.4.1
- canonical/oracle data integrator
- version/oracle data integrator/12.2.1.3.0
- version/oracle data integrator/12.2.1.4.0
- canonical/oracle endeca information discovery studio
- version/oracle endeca information discovery studio/3.2.0.0
- canonical/oracle enterprise repository
- version/oracle enterprise repository/11.1.1.7.0
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/8.0.6
- version/oracle financial services analytical applications infrastructure/8.0.9
- version/oracle financial services analytical applications infrastructure/8.1.0
- version/oracle financial services analytical applications infrastructure/8.1.1
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle primavera gateway
- version/oracle primavera gateway/16.2.0
- version/oracle primavera gateway/16.2.11
- version/oracle primavera gateway/17.12.0
- version/oracle primavera gateway/17.12.9
- canonical/oracle primavera unifier
- version/oracle primavera unifier/17.7
- version/oracle primavera unifier/17.12
- version/oracle primavera unifier/16.1
- version/oracle primavera unifier/16.2
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- version/oracle primavera unifier/20.12
- canonical/oracle real-time decisions
- version/oracle real-time decisions/3.2.0.0
- version/oracle real-time decisions/11.1.1.9.0
- canonical/oracle retail advanced inventory planning
- version/oracle retail advanced inventory planning/14.1
- canonical/oracle retail assortment planning
- version/oracle retail assortment planning/16.0.3
- canonical/oracle retail category management planning \& optimization
- version/oracle retail category management planning \& optimization/16.0.3
- canonical/oracle retail eftlink
- version/oracle retail eftlink/19.0.1
- version/oracle retail eftlink/20.0.0
- canonical/oracle retail financial integration
- version/oracle retail financial integration/14.1.3
- version/oracle retail financial integration/15.0.3
- version/oracle retail financial integration/16.0.3
- canonical/oracle retail integration bus
- version/oracle retail integration bus/15.0.3
- canonical/oracle retail item planning
- version/oracle retail item planning/16.0.3
- canonical/oracle retail macro space optimization
- version/oracle retail macro space optimization/16.0.3
- canonical/oracle retail merchandise financial planning
- version/oracle retail merchandise financial planning/16.0.3
- canonical/oracle retail merchandising system
- version/oracle retail merchandising system/14.1.3.2
- version/oracle retail merchandising system/16.0.3
- canonical/oracle retail predictive application server
- version/oracle retail predictive application server/14.1
- canonical/oracle retail regular price optimization
- version/oracle retail regular price optimization/16.0.3
- canonical/oracle retail replenishment optimization
- version/oracle retail replenishment optimization/16.0.3
- canonical/oracle retail service backbone
- version/oracle retail service backbone/14.1.3
- version/oracle retail service backbone/15.0.3
- version/oracle retail service backbone/16.0.3
- canonical/oracle retail size profile optimization
- version/oracle retail size profile optimization/16.0.3
- canonical/oracle retail store inventory management
- version/oracle retail store inventory management/14.1.3.9
- version/oracle retail store inventory management/15.0.3.0
- version/oracle retail store inventory management/16.0.3.0
- canonical/oracle retail xstore office cloud service
- version/oracle retail xstore office cloud service/15.0.4
- version/oracle retail xstore office cloud service/16.0.6
- version/oracle retail xstore office cloud service/17.0.4
- version/oracle retail xstore office cloud service/18.0.3
- version/oracle retail xstore office cloud service/19.0.2
- canonical/oracle storagetek acsls
- version/oracle storagetek acsls/8.5.1
- canonical/oracle storagetek tape analytics
- version/oracle storagetek tape analytics/2.4
- canonical/oracle timesten in-memory database
- canonical/oracle utilities framework
- version/oracle utilities framework/4.3.0.5.0
- version/oracle utilities framework/4.3.0.6.0
- version/oracle utilities framework/4.4.0.0.0
- version/oracle utilities framework/4.4.0.2.0
- vendor/ibm
- canonical/ibm cognos controller
- version/ibm cognos controller/11.0.0 - 11.0.1 fp3
- version/ibm cognos controller/11.1.0