GHSA-f62v-xpxf-3v68

Suggest an improvement
Source
https://github.com/advisories/GHSA-f62v-xpxf-3v68
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-f62v-xpxf-3v68/GHSA-f62v-xpxf-3v68.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f62v-xpxf-3v68
Aliases
Published
2021-02-03T19:16:35Z
Modified
2024-04-02T19:23:03Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Code injection in Apache Ant
Details

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

References

Affected packages

Maven / org.apache.ant:ant

Package

Name
org.apache.ant:ant
View open source insights on deps.dev
Purl
pkg:maven/org.apache.ant/ant

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.10.8
Fixed
1.10.9

Affected versions

1.*

1.10.8