Main Vulnerability Database Vulnerabilities #VU13998

Improper input validation in Apache Ant - CVE-2018-10886

Published: July 25, 2018 / Updated: July 26, 2018

Vulnerability identifier: #VU13998

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-10886

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Ant

Detailed vulnerability description

The vulnerability allows a remote attacker to create or overwrite arbitrary files on the target system.

The vulnerability exists due to the affected software allows archive files to be extracted outside of the target directory. A remote unauthenticated attacker can submit a specially crafted ZIP or TAR archive to an Ant build, trick the victim into extracting it, cause a file to be created outside the current working directory on the system and create or overwrite arbitrary files.

How to mitigate CVE-2018-10886

Update to version 1.9.12.

Sources

https://github.com/apache/ant/commit/e56e54565804991c62ec76dad385d2bdda8972a7

Improper input validation in Apache Ant - CVE-2018-10886

Detailed vulnerability description

How to mitigate CVE-2018-10886

Sources

Please verify you're human