{
  "threat_severity" : "Moderate",
  "public_date" : "2020-10-01T00:00:00Z",
  "bugzilla" : {
    "description" : "ant: insecure temporary file",
    "id" : "1903702",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1903702"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-377",
  "details" : [ "As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process." ],
  "statement" : "ant as shipped in Red Hat Enterprise Linux 8 is not affected by this flaw because this flaw is caused by the patch for CVE-2020-1945, however, it was never applied to ant as shipped in Red Hat Enterprise Linux 8, because the decision was made by Engineering to WONTFIX that flaw.\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of ant package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2021-03-03T00:00:00Z",
    "advisory" : "RHSA-2021:0637",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "jenkins-0:2.263.3.1612433584-1.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.5",
    "release_date" : "2021-03-03T00:00:00Z",
    "advisory" : "RHSA-2021:0429",
    "cpe" : "cpe:/a:redhat:openshift:4.5::el7",
    "package" : "conmon-2:2.0.21-1.rhaos4.5.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.5",
    "release_date" : "2021-03-03T00:00:00Z",
    "advisory" : "RHSA-2021:0429",
    "cpe" : "cpe:/a:redhat:openshift:4.5::el7",
    "package" : "jenkins-0:2.263.3.1612434332-1.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.5",
    "release_date" : "2021-03-03T00:00:00Z",
    "advisory" : "RHSA-2021:0429",
    "cpe" : "cpe:/a:redhat:openshift:4.5::el7",
    "package" : "machine-config-daemon-0:4.5.0-202102050524.p0.git.2594.ff3b8c0.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.5",
    "release_date" : "2021-03-03T00:00:00Z",
    "advisory" : "RHSA-2021:0429",
    "cpe" : "cpe:/a:redhat:openshift:4.5::el7",
    "package" : "openshift-0:4.5.0-202102050524.p0.git.0.9229406.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.5",
    "release_date" : "2021-03-03T00:00:00Z",
    "advisory" : "RHSA-2021:0429",
    "cpe" : "cpe:/a:redhat:openshift:4.5::el7",
    "package" : "openshift-ansible-0:4.5.0-202102031005.p0.git.0.c6839a2.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.5",
    "release_date" : "2021-03-03T00:00:00Z",
    "advisory" : "RHSA-2021:0429",
    "cpe" : "cpe:/a:redhat:openshift:4.5::el7",
    "package" : "openshift-clients-0:4.5.0-202102051529.p0.git.3612.61b096a.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.5",
    "release_date" : "2021-03-03T00:00:00Z",
    "advisory" : "RHSA-2021:0429",
    "cpe" : "cpe:/a:redhat:openshift:4.5::el7",
    "package" : "runc-0:1.0.0-72.rhaos4.5.giteadfc6b.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.6",
    "release_date" : "2021-02-17T00:00:00Z",
    "advisory" : "RHSA-2021:0423",
    "cpe" : "cpe:/a:redhat:openshift:4.6::el8",
    "package" : "jenkins-0:2.263.3.1612434510-1.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat BPM Suite 6",
    "fix_state" : "Out of support scope",
    "package_name" : "ant",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform"
  }, {
    "product_name" : "Red Hat Decision Manager 7",
    "fix_state" : "Will not fix",
    "package_name" : "ant",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Out of support scope",
    "package_name" : "ant",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "ant",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "ant",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "ant",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "ant:1.10/ant",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat JBoss BRMS 5",
    "fix_state" : "Out of support scope",
    "package_name" : "ant",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Out of support scope",
    "package_name" : "ant",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5",
    "fix_state" : "Out of support scope",
    "package_name" : "ant",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "ant",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Out of support scope",
    "package_name" : "ant",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3",
    "fix_state" : "Out of support scope",
    "package_name" : "ant",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Not affected",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/ose-metering-hive",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Will not fix",
    "package_name" : "ant",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Not affected",
    "package_name" : "rh-sso7-keycloak",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "streams for Apache Kafka",
    "fix_state" : "Not affected",
    "package_name" : "ant",
    "cpe" : "cpe:/a:redhat:amq_streams:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-11979\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-11979\nhttps://security.gentoo.org/glsa/202011-18" ],
  "name" : "CVE-2020-11979",
  "csaw" : false
}