#VU27924 Incorrect default permissions in Apache Ant - CVE-2020-1945
Published: May 15, 2020
Vulnerability identifier: #VU27924
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-1945
CWE-ID: CWE-276
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Apache Ant
Apache Ant
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to Apache Ant is using a default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. A local user with access to the system can view contents of files and directories or modify them.
Remediation
Install updates from vendor's website.