Main Vulnerability Database SB2020100815

SB2020100815 - Permissions, Privileges, and Access Controls in apache-ant (Alpine package)

Published: October 8, 2020

Security Bulletin ID SB2020100815

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-11979)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect patch for vulnerability #VU27924 (CVE-2020-1945). Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=d0beafdbb5ebed0173974d00db4f6e12c30ba30a