{"id":"CVE-2020-11979","details":"As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.","aliases":["BIT-gradle-2020-11979","GHSA-f62v-xpxf-3v68"],"modified":"2026-04-16T04:36:35.765481954Z","published":"2020-10-01T20:15:13.033Z","related":["GHSA-j45w-qrgf-25vm","SUSE-SU-2022:4022-1","openSUSE-SU-2024:10616-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e%40%3Cdev.creadur.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a%40%3Cdev.creadur.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB/"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc%40%3Cdev.creadur.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0%40%3Cdev.creadur.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490%40%3Cdev.creadur.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305%40%3Cdev.creadur.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/raaeddc41da8f3afb1cb224876084a45f68e437a0afd9889a707e4b0c%40%3Cdev.creadur.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS/"},{"type":"ADVISORY","url":"https://github.com/gradle/gradle/security/advisories/GHSA-j45w-qrgf-25vm"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202011-18"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/ant","events":[{"introduced":"0"},{"last_affected":"e04bc345599fbf78167b181fa47ae5cb707534e4"},{"introduced":"0"},{"last_affected":"0e3903c23e894da440c1b21b517989a5e7719d57"},{"introduced":"0"},{"last_affected":"f64b6066d4d43a8fba222d8b2fd93cec2542a748"},{"introduced":"0"},{"last_affected":"ab8035ab67e0187e151cf52714740d91c3c31dc9"},{"introduced":"0"},{"last_affected":"ba9786dbe557e4a12f91a597cc26638b29c93b9f"},{"introduced":"0"},{"last_affected":"ba9786dbe557e4a12f91a597cc26638b29c93b9f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.10.8"},{"introduced":"0"},{"last_affected":"31"},{"introduced":"0"},{"last_affected":"16.1"},{"introduced":"0"},{"last_affected":"16.2"},{"introduced":"0"},{"last_affected":"14.1"},{"introduced":"0"},{"last_affected":"14.1"}]}},{"type":"GIT","repo":"https://github.com/gradle/gradle","events":[{"introduced":"0"},{"fixed":"b7e82460c5373e194fb478a998c4fcfe7da53a7e"},{"introduced":"0"},{"last_affected":"96ab788d1d24d9a12519e0d78794edacd4272a6f"},{"introduced":"0"},{"last_affected":"849c772b536eda8a404dfea37328ca8946e287d1"},{"introduced":"0"},{"last_affected":"f19c3a8a62316d6b837effabfe816088476f33cf"},{"introduced":"0"},{"last_affected":"f0d9291c04b90b59445041eaa75b2ee744162586"},{"introduced":"0"},{"last_affected":"36dc52588e09b4b72f2010bc07599e0ee0434e2e"},{"introduced":"0"},{"last_affected":"40ba32cde9d6daf2b92c39376d2758909dd6b813"},{"introduced":"0"},{"last_affected":"1cf537a851c635c364a4214885f8b9798051175b"},{"introduced":"0"},{"last_affected":"96ab788d1d24d9a12519e0d78794edacd4272a6f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.8.0"},{"introduced":"0"},{"last_affected":"2.4.0"},{"introduced":"0"},{"last_affected":"2.7.0"},{"introduced":"0"},{"last_affected":"2.8.0"},{"introduced":"0"},{"last_affected":"7.4.0"},{"introduced":"0"},{"last_affected":"7.4.1"},{"introduced":"0"},{"last_affected":"8.1.0"},{"introduced":"0"},{"last_affected":"8.1.1"},{"introduced":"0"},{"last_affected":"2.4"}]}}],"versions":["ANT_1.10.6_RC1","ANT_1.10.8_RC1","ANT_14_B1","ANT_16_B1","ANT_16_B2","REL-0.8","REL-0.9-preview-1","REL-0.9-preview-2","REL-0.9-preview-3","REL-0.9-rc-1","REL_0.9","REL_0.9-rc-2","REL_0.9-rc-3","REL_0.9.1","REL_0.9.2","REL_1.0-milestone-1","REL_1.0-milestone-2","REL_1.0-milestone-3","REL_1.11","REL_1.11-rc-1","REL_1.12","REL_1.12-rc-1","REL_1.12-rc-2","REL_2.4","REL_2.4-rc-1","REL_2.4-rc-2","REL_2.7","REL_2.7-rc-1","REL_2.7-rc-2","REL_2.8","REL_2.8-rc-1","REL_2.8-rc-2","REL_3.0-milestone-1","TOMCAT_31_FINAL","rel/1.10.8","v0.8","v0.8.0","v0.9","v0.9-RC1","v0.9-RC2","v0.9-RC3","v0.9.0","v0.9.0-RC1","v0.9.0-RC2","v0.9.0-RC3","v0.9.1","v0.9.2","v1.0-M1","v1.0-M2","v1.0-M3","v1.0.0-M1","v1.0.0-M2","v1.0.0-M3","v1.11","v1.11-RC1","v1.11.0","v1.11.0-RC1","v1.12","v1.12-RC1","v1.12-RC2","v1.12.0","v1.12.0-RC1","v1.12.0-RC2","v2.4","v2.4-RC1","v2.4-RC2","v2.4.0","v2.4.0-RC1","v2.4.0-RC2","v2.7","v2.7-RC1","v2.7-RC2","v2.7.0","v2.7.0-RC1","v2.7.0-RC2","v2.8","v2.8-RC1","v2.8-RC2","v2.8.0","v2.8.0-RC1","v2.8.0-RC2","v3.0.0-M1","v6.1.0-M1","v6.1.0-M2","v6.5.0-M1","v6.5.0-M2","v6.6.0-M1","v6.6.0-M2","v6.8.0-M1","v6.8.0-M2","v6.8.0-M3","v6.8.0-RC1","v6.8.0-RC2","v6.8.0-RC3","v6.8.0-RC4","v6.8.0-RC5","v7.0.0-M1","v7.0.0-M2","v7.0.0-M3","v7.4.0","v7.4.0-RC1","v7.4.0-RC2","v7.4.1","v8.0.0-M2","v8.1.0","v8.1.0-RC1","v8.1.0-RC2","v8.1.0-RC3","v8.1.0-RC4","v8.1.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11979.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"6.2.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.4.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.6.2"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"14.4"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"3.2.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.1.7.0"}]},{"events":[{"introduced":"8.0.6"},{"last_affected":"8.0.9"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.0"}]},{"events":[{"introduced":"16.2.0"},{"last_affected":"16.2.11"}]},{"events":[{"introduced":"17.12.0"},{"last_affected":"17.12.9"}]},{"events":[{"introduced":"17.7"},{"last_affected":"17.12"}]},{"events":[{"introduced":"0"},{"last_affected":"18.8"}]},{"events":[{"introduced":"0"},{"last_affected":"19.12"}]},{"events":[{"introduced":"0"},{"last_affected":"20.12"}]},{"events":[{"introduced":"0"},{"last_affected":"3.2.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.1.9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"20.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.9"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.6"}]},{"events":[{"introduced":"0"},{"last_affected":"17.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.5.1"}]},{"events":[{"introduced":"0"},{"fixed":"11.2.2.8.27"}]},{"events":[{"introduced":"0"},{"last_affected":"4.3.0.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.3.0.6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.4.0.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.4.0.2.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}