CVE-2020-1945
First published: Wed May 13 2020(Updated: )
Apache Ant could allow a remote attacker to bypass security restrictions, caused by the use of an insecure temporary directory to store source files. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information and inject modified source files into the build process.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <0:2.263.3.1612433584-1.el7 | 0:2.263.3.1612433584-1.el7 |
| redhat/conmon | <2:2.0.21-1.rhaos4.5.el8 | 2:2.0.21-1.rhaos4.5.el8 |
| redhat/jenkins | <0:2.263.3.1612434332-1.el7 | 0:2.263.3.1612434332-1.el7 |
| redhat/machine-config-daemon | <0:4.5.0-202102050524.p0.git.2594.ff3b8c0.el8 | 0:4.5.0-202102050524.p0.git.2594.ff3b8c0.el8 |
| redhat/openshift | <0:4.5.0-202102050524.p0.git.0.9229406.el7 | 0:4.5.0-202102050524.p0.git.0.9229406.el7 |
| redhat/openshift-ansible | <0:4.5.0-202102031005.p0.git.0.c6839a2.el7 | 0:4.5.0-202102031005.p0.git.0.c6839a2.el7 |
| redhat/openshift-clients | <0:4.5.0-202102051529.p0.git.3612.61b096a.el7 | 0:4.5.0-202102051529.p0.git.3612.61b096a.el7 |
| redhat/runc | <0:1.0.0-72.rhaos4.5.giteadfc6b.el8 | 0:1.0.0-72.rhaos4.5.giteadfc6b.el8 |
| redhat/jenkins | <0:2.263.3.1612434510-1.el8 | 0:2.263.3.1612434510-1.el8 |
| debian/ant | <=1.10.5-2 | 1.10.9-4 1.10.13-1 1.10.14-1 |
| ubuntu/ant | <1.9.6-1ubuntu1.1+ | 1.9.6-1ubuntu1.1+ |
| ubuntu/ant | <1.10.7-1ubuntu0.1~ | 1.10.7-1ubuntu0.1~ |
| ubuntu/ant | <1.10.5-3~18.04.1~ | 1.10.5-3~18.04.1~ |
| ubuntu/ant | <1.10.6-1ubuntu0.1 | 1.10.6-1ubuntu0.1 |
| ubuntu/ant | <1.9.3-2ubuntu0.1+ | 1.9.3-2ubuntu0.1+ |
| redhat/ant | <1.9.15 | 1.9.15 |
| redhat/ant | <1.10.8 | 1.10.8 |
| Apache Ant | >=1.1<=1.9.14 | |
| Apache Ant | >=1.10.0<=1.10.7 | |
| Canonical Ubuntu Linux | =19.10 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| openSUSE Leap | =15.2 | |
| Oracle Agile Engineering Data Management | =6.2.1.0 | |
| Oracle Banking Enterprise Collections | >=2.7.0<=2.9.0 | |
| Oracle Banking Liquidity Management | >=14.0.0<=14.4.0 | |
| Oracle Banking Platform | >=2.4.0<=2.9.0 | |
| Oracle Business Process Management Suite | =12.2.1.3.0 | |
| Oracle Business Process Management Suite | =12.2.1.4.0 | |
| Oracle Category Management Planning \& Optimization | =15.0.3 | |
| Oracle Communications Asap | =7.3 | |
| Oracle Communications Diameter Signaling Router | >=8.0.0<=8.2.2 | |
| Oracle Communications Metasolv Solution | =6.3.0 | |
| Oracle Communications Order and Service Management | =7.3 | |
| Oracle Communications Order and Service Management | =7.4 | |
| Oracle Data Integrator | =12.2.1.3.0 | |
| Oracle Data Integrator | =12.2.1.4.0 | |
| Oracle Endeca Information Discovery Studio | =3.2.0 | |
| Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
| Oracle Enterprise Repository | =11.1.1.7.0 | |
| Oracle Financial Services Analytical Applications Infrastructure | >=8.0.6<=8.1.0 | |
| Oracle FLEXCUBE Investor Servicing | =12.1.0 | |
| Oracle FLEXCUBE Investor Servicing | =12.3.0 | |
| Oracle FLEXCUBE Investor Servicing | =12.4.0 | |
| Oracle FLEXCUBE Investor Servicing | =14.0.0 | |
| Oracle FLEXCUBE Investor Servicing | =14.1.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Health Sciences Information Manager | >=3.0<=3.0.2 | |
| Oracle Primavera Gateway | >=16.2.0<=16.2.11 | |
| Oracle Primavera Gateway | >=17.12.0<=17.12.7 | |
| Oracle Primavera Unifier | >=17.7<=17.12 | |
| Oracle Primavera Unifier | =16.1 | |
| Oracle Primavera Unifier | =16.2 | |
| Oracle Primavera Unifier | =18.8 | |
| Oracle Primavera Unifier | =19.12 | |
| Oracle Rapid Planning | =12.1 | |
| Oracle Rapid Planning | =12.2 | |
| Oracle Real-time Decision Server | =3.2.1.0 | |
| Oracle Retail Advanced Inventory Planning | =14.1 | |
| Oracle Retail Advanced Inventory Planning | =15.0 | |
| Oracle Retail Advanced Inventory Planning | =16.0 | |
| Oracle Retail Assortment Planning | =15.0.3 | |
| Oracle Retail Assortment Planning | =16.0.3 | |
| Oracle Retail Back Office | =14.0 | |
| Oracle Retail Back Office | =14.1 | |
| Oracle Retail Bulk Data Integration | =15.0 | |
| Oracle Retail Bulk Data Integration | =16.0 | |
| Oracle Retail Bulk Data Integration | =16.0.3.0 | |
| Oracle Retail Bulk Data Integration | =19.0.1 | |
| Oracle Retail Central Office | =14.0 | |
| Oracle Retail Central Office | =14.1 | |
| Oracle Retail Data Extractor For Merchandising | =1.9 | |
| Oracle Retail Data Extractor For Merchandising | =1.10 | |
| Oracle Retail Extract Transform And Load | =13.2.5 | |
| Oracle Retail Extract Transform And Load | =13.2.8 | |
| Oracle Retail Financial Integration | =14.1.3.2 | |
| Oracle Retail Financial Integration | =15.0 | |
| Oracle Retail Financial Integration | =15.0.4.0 | |
| Oracle Retail Financial Integration | =16.0 | |
| Oracle Retail Financial Integration | =16.0.3.0 | |
| Oracle Retail Integration Bus | =14.1 | |
| Oracle Retail Integration Bus | =14.1.3.2 | |
| Oracle Retail Integration Bus | =15.0 | |
| Oracle Retail Integration Bus | =15.0.4.0 | |
| Oracle Retail Integration Bus | =16.0 | |
| Oracle Retail Integration Bus | =16.0.3.0 | |
| Oracle Retail Integration Bus | =19.0.1.0 | |
| Oracle Retail Item Planning | =15.0.3 | |
| Oracle Retail Macro Space Optimization | =15.0.3 | |
| Oracle Retail Merchandise Financial Planning | =15.0.3 | |
| Oracle Retail Merchandising System | =19.0.1 | |
| Oracle Retail Point-of-Service | =14.0 | |
| Oracle Retail Point-of-Service | =14.1 | |
| Oracle Retail Point-of-Service | =15.0 | |
| Oracle Retail Point-of-Service | =16.0 | |
| Oracle Retail Predictive Application Server | =14.0.3 | |
| Oracle Retail Predictive Application Server | =14.1.3 | |
| Oracle Retail Predictive Application Server | =15.0.3 | |
| Oracle Retail Predictive Application Server | =16.0.3 | |
| Oracle Retail Predictive Application Server | =16.0.3.0 | |
| Oracle Retail Regular Price Optimization | =15.0.3 | |
| Oracle Retail Regular Price Optimization | =16.0.3 | |
| Oracle Retail Replenishment Optimization | =15.0.3 | |
| Oracle Retail Returns Management | =14.0 | |
| Oracle Retail Returns Management | =14.1 | |
| Oracle Retail Service Backbone | =14.1.3.2 | |
| Oracle Retail Service Backbone | =15.0 | |
| Oracle Retail Service Backbone | =15.0.4.0 | |
| Oracle Retail Service Backbone | =16.0 | |
| Oracle Retail Service Backbone | =16.0.3.0 | |
| Oracle Retail Service Backbone | =19.0.1.0 | |
| Oracle Retail Size Profile Optimization | =15.0.3 | |
| Oracle Retail Size Profile Optimization | =16.0.3 | |
| Oracle Retail Store Inventory Management | =14.0.4 | |
| Oracle Retail Store Inventory Management | =14.1 | |
| Oracle Retail Store Inventory Management | =14.1.3 | |
| Oracle Retail Store Inventory Management | =15.0 | |
| Oracle Retail Store Inventory Management | =15.0.3 | |
| Oracle Retail Store Inventory Management | =16.0 | |
| Oracle Retail Store Inventory Management | =16.0.3 | |
| Oracle Retail Xstore Point of Service | =15.0.4 | |
| Oracle Retail Xstore Point of Service | =16.0.6 | |
| Oracle Retail Xstore Point of Service | =17.0.4 | |
| Oracle Retail Xstore Point of Service | =18.0.3 | |
| Oracle Retail Xstore Point of Service | =19.0.2 | |
| Oracle TimesTen In-Memory Database | <11.2.2.8.27 | |
| Oracle TimesTen In-Memory Database | =11.2.2.8.49 | |
| Oracle Utilities Framework | >=4.3.0.1.0<=4.3.0.6.0 | |
| Oracle Utilities Framework | =2.2.0.0.0 | |
| Oracle Utilities Framework | =4.2.0.2.0 | |
| Oracle Utilities Framework | =4.2.0.3.0 | |
| Oracle Utilities Framework | =4.4.0.0.0 | |
| Oracle Utilities Framework | =4.4.0.2.0 |
Remedy
For versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7, set the java.io.tmpdir system property to a private directory-- only readable and writable by the current user-- before running Ant. For versions 1.9.15 and 1.10.8, use the Ant property ant.tmpfile instead. Ant 1.10.8 protects the temporary files if the underlying filesystem allows it, but using a private temporary directory is still recommended.
Remedy
Set the java.io.tmpdir property of the JVM to point to a directory that is not world read/writable.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/181875
- https://www.ibm.com/support/pages/node/6520510 (Advisory)
- https://lists.apache.org/thread.html/r8e592bbfc016a5dbe2a8c0e81ff99682b9c78c453621b82c14e7b75e%40%3Cdev.ant.apache.org%3E
- https://lists.apache.org/thread.html/rfd346609527a79662c48b1da3ac500ec30f29f7ddaa3575051e81890@%3Ccommits.creadur.apache.org%3E
- https://lists.apache.org/thread.html/re1ce84518d773a94a613d988771daf9252c9cf7375a9a477009f9735@%3Ccommits.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r1863b9ce4c3e4b1e5b0c671ad05545ba3eb8399616aa746af5dfe1b1@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r95dc943e47a211d29df605e14f86c280fc9fa8d828b2b53bd07673c9@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rd7dda48ff835f4d0293949837d55541bfde3683bd35bd8431e324538@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rda80ac59119558eaec452e58ddfac2ccc9211da1c65f7927682c78b1@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rdaa9c51d5dc6560c9d2b3f3d742c768ad0705e154041e574a0fae45c@%3Cnotifications.groovy.apache.org%3E
- https://lists.apache.org/thread.html/r1b32c76afffcf676e13ed635a3332f3e46e6aaa7722eb3fc7a28f58e@%3Cdev.hive.apache.org%3E
- https://lists.apache.org/thread.html/r0d08a96ba9de8aa435f32944e8b2867c368a518d4ff57782e3637335@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r6edd3e2cb79ee635630d891b54a4f1a9cd8c7f639d6ee34e75fbe830@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r4b2904d64affd4266cd72ccb2fc3927c1c2f22009f183095aa46bf90@%3Cissues.hive.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RRVAWTCVXJMRYKQKEXYSNBF7NLSR6OEI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EQBR65TINSJRN7PTPIVNYS33P535WM74/
- https://usn.ubuntu.com/4380-1/
- https://lists.apache.org/thread.html/r8e24abb7dd77cda14c6df90a377c94f0a413bbfcec90a29540ff8adf@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r2704fb14ce068c64759a986f81d5b5e42ab434fa13d0f444ad52816b@%3Cdev.creadur.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/r6e295d792032ec02b32be3846c21a58857fba4a077d22c5842d69ba2@%3Ctorque-dev.db.apache.org%3E
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00053.html
- https://security.gentoo.org/glsa/202007-34
- https://lists.apache.org/thread.html/r815f88d1044760176f30a4913b4baacd06f3eae4eb662de7388e46d8@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r5dfc77048b1f9db26622dce91a6edf083d499397256594952fad5f35@%3Ccommits.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/rb8ec556f176c83547b959150e2108e2ddf1d61224295941908b0a81f@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea@%3Cdev.ant.apache.org%3E
- https://lists.apache.org/thread.html/rc89e491b5b270fb40f1210b70554527b737c217ad2e831b643ead6bc@%3Cuser.ant.apache.org%3E
- https://lists.apache.org/thread.html/r1a9c992d7c8219dc15b4ad448649f0ffdaa88d76ef6a0035c49455f5@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rf07feaf78afc8f701e21948a06ef92565d3dff1242d710f4fbf900b2@%3Cdev.creadur.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/09/30/6
- https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0@%3Cdev.creadur.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/r3cea0f3da4f6d06d7afb6c0804da8e01773a0f50a09b8d9beb2cda65@%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r6970d196cd73863dafdbc3a7052562deedd338e3bd7d73d8171d92d6@%3Ccommits.groovy.apache.org%3E
- https://lists.apache.org/thread.html/rce099751721c26a8166d8b6578293820832831a0b2cb8d93b8efa081@%3Cnotifications.groovy.apache.org%3E
- https://lists.apache.org/thread.html/r6030d34ceacd0098538425c5dac8251ffc7fd90b886942bc7ef87858@%3Cnotifications.groovy.apache.org%3E
- https://lists.apache.org/thread.html/ra12c3e23b021f259a201648005b9946acd7f618a6f32301c97047967@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/ra12c3e23b021f259a201648005b9946acd7f618a6f32301c97047967@%3Cdev.groovy.apache.org%3E
- https://lists.apache.org/thread.html/ra12c3e23b021f259a201648005b9946acd7f618a6f32301c97047967@%3Cusers.groovy.apache.org%3E
- http://www.openwall.com/lists/oss-security/2020/12/06/1
- https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465@%3Cnotifications.groovy.apache.org%3E
- https://lists.apache.org/thread.html/rb860063819b9c0990e1fbce29d83f4554766fe5a05e3b3939736bf2b@%3Ccommits.myfaces.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.apache.org/thread.html/raaeddc41da8f3afb1cb224876084a45f68e437a0afd9889a707e4b0c@%3Cdev.creadur.apache.org%3E
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a@%3Cdev.creadur.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://launchpad.net/bugs/cve/CVE-2020-1945
- https://lists.apache.org/thread.html/r0d08a96ba9de8aa435f32944e8b2867c368a518d4ff57782e3637335%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r1863b9ce4c3e4b1e5b0c671ad05545ba3eb8399616aa746af5dfe1b1%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r1a9c992d7c8219dc15b4ad448649f0ffdaa88d76ef6a0035c49455f5%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r1b32c76afffcf676e13ed635a3332f3e46e6aaa7722eb3fc7a28f58e%40%3Cdev.hive.apache.org%3E
- https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r2704fb14ce068c64759a986f81d5b5e42ab434fa13d0f444ad52816b%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r3cea0f3da4f6d06d7afb6c0804da8e01773a0f50a09b8d9beb2cda65%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r4b2904d64affd4266cd72ccb2fc3927c1c2f22009f183095aa46bf90%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r5dfc77048b1f9db26622dce91a6edf083d499397256594952fad5f35%40%3Ccommits.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r6030d34ceacd0098538425c5dac8251ffc7fd90b886942bc7ef87858%40%3Cnotifications.groovy.apache.org%3E
- https://lists.apache.org/thread.html/r6970d196cd73863dafdbc3a7052562deedd338e3bd7d73d8171d92d6%40%3Ccommits.groovy.apache.org%3E
- https://lists.apache.org/thread.html/r6e295d792032ec02b32be3846c21a58857fba4a077d22c5842d69ba2%40%3Ctorque-dev.db.apache.org%3E
- https://lists.apache.org/thread.html/r6edd3e2cb79ee635630d891b54a4f1a9cd8c7f639d6ee34e75fbe830%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r815f88d1044760176f30a4913b4baacd06f3eae4eb662de7388e46d8%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r8e24abb7dd77cda14c6df90a377c94f0a413bbfcec90a29540ff8adf%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r95dc943e47a211d29df605e14f86c280fc9fa8d828b2b53bd07673c9%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/ra12c3e23b021f259a201648005b9946acd7f618a6f32301c97047967%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/ra12c3e23b021f259a201648005b9946acd7f618a6f32301c97047967%40%3Cdev.groovy.apache.org%3E
- https://lists.apache.org/thread.html/ra12c3e23b021f259a201648005b9946acd7f618a6f32301c97047967%40%3Cusers.groovy.apache.org%3E
- https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465%40%3Cnotifications.groovy.apache.org%3E
- https://lists.apache.org/thread.html/raaeddc41da8f3afb1cb224876084a45f68e437a0afd9889a707e4b0c%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rb860063819b9c0990e1fbce29d83f4554766fe5a05e3b3939736bf2b%40%3Ccommits.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/rb8ec556f176c83547b959150e2108e2ddf1d61224295941908b0a81f%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
- https://lists.apache.org/thread.html/rc89e491b5b270fb40f1210b70554527b737c217ad2e831b643ead6bc%40%3Cuser.ant.apache.org%3E
- https://lists.apache.org/thread.html/rce099751721c26a8166d8b6578293820832831a0b2cb8d93b8efa081%40%3Cnotifications.groovy.apache.org%3E
- https://lists.apache.org/thread.html/rd7dda48ff835f4d0293949837d55541bfde3683bd35bd8431e324538%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rda80ac59119558eaec452e58ddfac2ccc9211da1c65f7927682c78b1%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rdaa9c51d5dc6560c9d2b3f3d742c768ad0705e154041e574a0fae45c%40%3Cnotifications.groovy.apache.org%3E
- https://lists.apache.org/thread.html/re1ce84518d773a94a613d988771daf9252c9cf7375a9a477009f9735%40%3Ccommits.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rf07feaf78afc8f701e21948a06ef92565d3dff1242d710f4fbf900b2%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rfd346609527a79662c48b1da3ac500ec30f29f7ddaa3575051e81890%40%3Ccommits.creadur.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EQBR65TINSJRN7PTPIVNYS33P535WM74/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRVAWTCVXJMRYKQKEXYSNBF7NLSR6OEI/
- https://issues.apache.org/jira/browse/RAT-269?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1837445
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1837446
- https://access.redhat.com/errata/RHSA-2020:2618
- https://access.redhat.com/security/cve/cve-2020-1945
- https://access.redhat.com/errata/RHSA-2020:4960
- https://access.redhat.com/errata/RHSA-2020:4961
- https://access.redhat.com/errata/RHSA-2021:0423
- https://access.redhat.com/errata/RHSA-2021:0429
- https://access.redhat.com/errata/RHSA-2021:0637
- https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated
- https://bugzilla.redhat.com/show_bug.cgi?id=1837444
- https://www.cve.org/CVERecord?id=CVE-2020-1945 https://nvd.nist.gov/vuln/detail/CVE-2020-1945
- https://www.openwall.com/lists/oss-security/2020/05/13/1
- https://github.com/apache/ant/commit/9c1f4d905da59bf446570ac28df5b68a37281f35
- https://github.com/apache/ant/commit/926f339ea30362bec8e53bf5924ce803938163b7
- https://github.com/apache/ant/commit/d591851ae3921172bb825b5a5344afa3de0e28ca
- https://github.com/apache/ant/commit/041b058c7bf10a94d56db3ca9dba38cf90ab9943
- https://github.com/apache/ant/commit/a8645a151bc706259fb1789ef587d05482d98612
- https://security-tracker.debian.org/tracker/CVE-2020-1945
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1945
- https://ubuntu.com/security/notices/USN-4380-1
- https://ubuntu.com/security/notices/USN-4874-1
- https://nvd.nist.gov/vuln/detail/CVE-2020-1945
- https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=9c1f4d905da59bf446570ac28df5b68a37281f35 (1.9.x, 1.10.x)
- https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=926f339ea30362bec8e53bf5924ce803938163b7 (1.9.x, 1.10.x)
- https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=041b058c7bf10a94d56db3ca9dba38cf90ab9943 (1.10.x)
- https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=a8645a151bc706259fb1789ef587d05482d98612 (1.10.x)
- https://ubuntu.com/security/CVE-2020-1945
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2020-1945.
What is the severity level of CVE-2020-1945?
The severity level of CVE-2020-1945 is medium.
What software versions are affected by CVE-2020-1945?
Apache Ant versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 are affected by CVE-2020-1945.
How can an attacker exploit CVE-2020-1945?
An attacker can exploit CVE-2020-1945 to bypass security restrictions by using an insecure temporary directory.
How can I fix CVE-2020-1945?
To fix CVE-2020-1945, update Apache Ant to version 1.9.15 or 1.10.8, depending on the version you are using.
- collector/redhat-cve
- collector/ibm-support
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/last-modified-date
- agent/first-publish-date
- agent/severity
- agent/references
- agent/weakness
- agent/remedy
- agent/description
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-1945
- agent/softwarecombine
- agent/tags
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/redhat
- package-manager/debian
- package-manager/ubuntu
- vendor/apache
- canonical/apache ant
- version/apache ant/1.1
- version/apache ant/1.9.14
- version/apache ant/1.10.0
- version/apache ant/1.10.7
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/19.10
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.2
- vendor/oracle
- canonical/oracle agile engineering data management
- version/oracle agile engineering data management/6.2.1.0
- canonical/oracle banking enterprise collections
- version/oracle banking enterprise collections/2.7.0
- version/oracle banking enterprise collections/2.9.0
- canonical/oracle banking liquidity management
- version/oracle banking liquidity management/14.0.0
- version/oracle banking liquidity management/14.4.0
- canonical/oracle banking platform
- version/oracle banking platform/2.4.0
- version/oracle banking platform/2.9.0
- canonical/oracle business process management suite
- version/oracle business process management suite/12.2.1.3.0
- version/oracle business process management suite/12.2.1.4.0
- canonical/oracle category management planning \& optimization
- version/oracle category management planning \& optimization/15.0.3
- canonical/oracle communications asap
- version/oracle communications asap/7.3
- canonical/oracle communications diameter signaling router
- version/oracle communications diameter signaling router/8.0.0
- version/oracle communications diameter signaling router/8.2.2
- canonical/oracle communications metasolv solution
- version/oracle communications metasolv solution/6.3.0
- canonical/oracle communications order and service management
- version/oracle communications order and service management/7.3
- version/oracle communications order and service management/7.4
- canonical/oracle data integrator
- version/oracle data integrator/12.2.1.3.0
- version/oracle data integrator/12.2.1.4.0
- canonical/oracle endeca information discovery studio
- version/oracle endeca information discovery studio/3.2.0
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.4.0.0
- canonical/oracle enterprise repository
- version/oracle enterprise repository/11.1.1.7.0
- canonical/oracle financial services analytical applications infrastructure
- version/oracle financial services analytical applications infrastructure/8.0.6
- version/oracle financial services analytical applications infrastructure/8.1.0
- canonical/oracle flexcube investor servicing
- version/oracle flexcube investor servicing/12.1.0
- version/oracle flexcube investor servicing/12.3.0
- version/oracle flexcube investor servicing/12.4.0
- version/oracle flexcube investor servicing/14.0.0
- version/oracle flexcube investor servicing/14.1.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle health sciences information manager
- version/oracle health sciences information manager/3.0
- version/oracle health sciences information manager/3.0.2
- canonical/oracle primavera gateway
- version/oracle primavera gateway/16.2.0
- version/oracle primavera gateway/16.2.11
- version/oracle primavera gateway/17.12.0
- version/oracle primavera gateway/17.12.7
- canonical/oracle primavera unifier
- version/oracle primavera unifier/17.7
- version/oracle primavera unifier/17.12
- version/oracle primavera unifier/16.1
- version/oracle primavera unifier/16.2
- version/oracle primavera unifier/18.8
- version/oracle primavera unifier/19.12
- canonical/oracle rapid planning
- version/oracle rapid planning/12.1
- version/oracle rapid planning/12.2
- canonical/oracle real-time decision server
- version/oracle real-time decision server/3.2.1.0
- canonical/oracle retail advanced inventory planning
- version/oracle retail advanced inventory planning/14.1
- version/oracle retail advanced inventory planning/15.0
- version/oracle retail advanced inventory planning/16.0
- canonical/oracle retail assortment planning
- version/oracle retail assortment planning/15.0.3
- version/oracle retail assortment planning/16.0.3
- canonical/oracle retail back office
- version/oracle retail back office/14.0
- version/oracle retail back office/14.1
- canonical/oracle retail bulk data integration
- version/oracle retail bulk data integration/15.0
- version/oracle retail bulk data integration/16.0
- version/oracle retail bulk data integration/16.0.3.0
- version/oracle retail bulk data integration/19.0.1
- canonical/oracle retail central office
- version/oracle retail central office/14.0
- version/oracle retail central office/14.1
- canonical/oracle retail data extractor for merchandising
- version/oracle retail data extractor for merchandising/1.9
- version/oracle retail data extractor for merchandising/1.10
- canonical/oracle retail extract transform and load
- version/oracle retail extract transform and load/13.2.5
- version/oracle retail extract transform and load/13.2.8
- canonical/oracle retail financial integration
- version/oracle retail financial integration/14.1.3.2
- version/oracle retail financial integration/15.0
- version/oracle retail financial integration/15.0.4.0
- version/oracle retail financial integration/16.0
- version/oracle retail financial integration/16.0.3.0
- canonical/oracle retail integration bus
- version/oracle retail integration bus/14.1
- version/oracle retail integration bus/14.1.3.2
- version/oracle retail integration bus/15.0
- version/oracle retail integration bus/15.0.4.0
- version/oracle retail integration bus/16.0
- version/oracle retail integration bus/16.0.3.0
- version/oracle retail integration bus/19.0.1.0
- canonical/oracle retail item planning
- version/oracle retail item planning/15.0.3
- canonical/oracle retail macro space optimization
- version/oracle retail macro space optimization/15.0.3
- canonical/oracle retail merchandise financial planning
- version/oracle retail merchandise financial planning/15.0.3
- canonical/oracle retail merchandising system
- version/oracle retail merchandising system/19.0.1
- canonical/oracle retail point-of-service
- version/oracle retail point-of-service/14.0
- version/oracle retail point-of-service/14.1
- version/oracle retail point-of-service/15.0
- version/oracle retail point-of-service/16.0
- canonical/oracle retail predictive application server
- version/oracle retail predictive application server/14.0.3
- version/oracle retail predictive application server/14.1.3
- version/oracle retail predictive application server/15.0.3
- version/oracle retail predictive application server/16.0.3
- version/oracle retail predictive application server/16.0.3.0
- canonical/oracle retail regular price optimization
- version/oracle retail regular price optimization/15.0.3
- version/oracle retail regular price optimization/16.0.3
- canonical/oracle retail replenishment optimization
- version/oracle retail replenishment optimization/15.0.3
- canonical/oracle retail returns management
- version/oracle retail returns management/14.0
- version/oracle retail returns management/14.1
- canonical/oracle retail service backbone
- version/oracle retail service backbone/14.1.3.2
- version/oracle retail service backbone/15.0
- version/oracle retail service backbone/15.0.4.0
- version/oracle retail service backbone/16.0
- version/oracle retail service backbone/16.0.3.0
- version/oracle retail service backbone/19.0.1.0
- canonical/oracle retail size profile optimization
- version/oracle retail size profile optimization/15.0.3
- version/oracle retail size profile optimization/16.0.3
- canonical/oracle retail store inventory management
- version/oracle retail store inventory management/14.0.4
- version/oracle retail store inventory management/14.1
- version/oracle retail store inventory management/14.1.3
- version/oracle retail store inventory management/15.0
- version/oracle retail store inventory management/15.0.3
- version/oracle retail store inventory management/16.0
- version/oracle retail store inventory management/16.0.3
- canonical/oracle retail xstore point of service
- version/oracle retail xstore point of service/15.0.4
- version/oracle retail xstore point of service/16.0.6
- version/oracle retail xstore point of service/17.0.4
- version/oracle retail xstore point of service/18.0.3
- version/oracle retail xstore point of service/19.0.2
- canonical/oracle timesten in-memory database
- version/oracle timesten in-memory database/11.2.2.8.49
- canonical/oracle utilities framework
- version/oracle utilities framework/4.3.0.1.0
- version/oracle utilities framework/4.3.0.6.0
- version/oracle utilities framework/2.2.0.0.0
- version/oracle utilities framework/4.2.0.2.0
- version/oracle utilities framework/4.2.0.3.0
- version/oracle utilities framework/4.4.0.0.0
- version/oracle utilities framework/4.4.0.2.0