Fedora 28 update for ant
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-10886 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system ant Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Improper input validation
EUVDB-ID: #VU13998
Risk: Low
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-10886
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to create or overwrite arbitrary files on the target system.
The vulnerability exists due to the affected software allows archive files to be extracted outside of the target directory. A remote unauthenticated attacker can submit a specially crafted ZIP or TAR archive to an Ant build, trick the victim into extracting it, cause a file to be created outside the current working directory on the system and create or overwrite arbitrary files.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 28
ant: before 1.10.1-10.fc28
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-2018-cba3ccd747
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
