CVE-2020-11979
Arbitrary File Write vulnerability in ant (Maven)
What is CVE-2020-11979 About?
Apache Ant 1.10.8 has an Arbitrary File Write vulnerability in its `fixcrlf` task, despite a previous fix for CVE-2020-1945. The task creates temporary files insecurely, allowing an attacker to inject modified source files into the build process. This vulnerability is moderately easy to exploit.
Affected Software
Technical Details
The vulnerability in Apache Ant 1.10.8 specifically affects the fixcrlf task. While a previous mitigation for CVE-2020-1945 aimed to secure temporary files by setting restrictive permissions, the fixcrlf task inadvertently nullified this effort. The core issue is that fixcrlf deletes the initially secured temporary file and then creates a new one without inheriting or re-applying the necessary secure permissions. This insecure creation of the new temporary file opens a race window. During this window, a local attacker can exploit this condition to inject their own modified source files into the newly created, unprotected temporary file. Consequently, when the build process later reads this temporary file, it will consume the attacker's malicious content, effectively injecting unauthorized code or modifications into the build output.
What is the Impact of CVE-2020-11979?
Successful exploitation may allow attackers to inject arbitrary malicious code or configurations into the build process, potentially leading to supply chain attacks, remote code execution, or denial of service.
What is the Exploitability of CVE-2020-11979?
Exploitation of this vulnerability is local and requires the attacker to have at least basic local user access to the system where Apache Ant is running. The complexity is moderate, involving a race condition during the creation of temporary files. No specific authentication is required beyond local system access, and the attacker does not need elevated privileges to trigger the race condition. The primary condition for exploitation is the execution of the fixcrlf task on a vulnerable version of Apache Ant. The short window of the race condition makes the exploit a timing-sensitive operation. Risk factors include continuous integration/deployment (CI/CD) environments where multiple users might invoke Ant builds or where build processes run with predictable timing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-11979?
Available Upgrade Options
- org.apache.ant:ant
- <1.10.9 → Upgrade to 1.10.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0%40%3Cdev.creadur.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI/
- https://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a%40%3Cdev.creadur.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS
- https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305%40%3Cdev.creadur.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI
What are Similar Vulnerabilities to CVE-2020-11979?
Similar Vulnerabilities: CVE-2019-12402 , CVE-2019-12403 , CVE-2021-24031 , CVE-2022-42866 , CVE-2023-44405
