CVE-2020-11979
medium
CVSS v3
—
CVSS v2
—
VIR risk
5.5
Description
Code injection in Apache Ant
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2020-11979.html
Vendor advisory: arch — https://security.archlinux.org/ASA-202012-5
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2020-11979
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | forky | fixed | 1.10.9-1 |
| debian | trixie | fixed | 1.10.9-1 |
| debian | sid | fixed | 1.10.9-1 |
| debian | bookworm | fixed | 1.10.9-1 |
| debian | bullseye | fixed | 1.10.9-1 |
| arch | fixed | 1.10.9-1 | |
| sles | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.ant:ant | <1.10.9 | 1.10.9 |
References
- https://security-tracker.debian.org/tracker/CVE-2020-11979
- https://security.archlinux.org/ASA-202012-5
- https://www.suse.com/security/cve/CVE-2020-11979.html
- https://github.com/gradle/gradle/security/advisories/GHSA-j45w-qrgf-25vm
- https://nvd.nist.gov/vuln/detail/CVE-2020-11979
- https://github.com/apache/ant/commit/87ac51d3c22bcf7cfd0dc07cb0bd04a496e0d428
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://security.gentoo.org/glsa/202011-18
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYBRN5C2RW7JRY75IB7Q7ZVKZCHWAQWS
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AALW42FWNQ35F7KB3JVRC6NBVV7AAYYI
- https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
- https://lists.apache.org/thread.html/rbfe9ba28b74f39f46ec1bbbac3bef313f35017cf3aac13841a84483a@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/raaeddc41da8f3afb1cb224876084a45f68e437a0afd9889a707e4b0c@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r5e1cdd79f019162f76414708b2092acad0a6703d666d72d717319305@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r4ca33fad3fb39d130cda287d5a60727d9e706e6f2cf2339b95729490@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r2306b67f20c24942b872b0a41fbdc9330e8467388158bcd19c1094e0@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r1dc8518dc99c42ecca5ff82d0d2de64cd5d3a4fa691eb9ee0304781e@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r107ea1b1a7a214bc72fe1a04207546ccef542146ae22952e1013b5cc@%3Cdev.creadur.apache.org%3E
- https://github.com/apache/ant
Verify integrity in audit chain (admin only). AS-IS.