Incorrect default permissions in Apache Ant - CVE-2020-1945
Published: May 15, 2020
Vulnerability identifier: #VU27924
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-1945
CWE-ID: CWE-276
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Ant
Apache Ant
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to Apache Ant is using a default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. A local user with access to the system can view contents of files and directories or modify them.
How to mitigate CVE-2020-1945
Install updates from vendor's website.