You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ant.apache.org by Ashish Verma V <as...@ericsson.com.INVALID> on 2022/02/02 10:27:34 UTC
Apache Ant Vulnerability
Hi Team,
We are using "maven-antrun-plugin" that internally uses apache ant.
Recently high severity vulnerability (CVE-2020-11979<https://ant.apache.org/security.html>) is observed specific to apache ant
This CVE is fixed on apache ant version Ant 1.10.9. Although latest maven-antrun-plugin (v3.0.0) is using older apache ant version (ie. Apache ant 1.9.14) that is impacted
with this vulnerability.
Kindly let us know the plan to take the latest ant version to fix this vulnerability.
Thanks
Ashish Verma
Re: Apache Ant Vulnerability
Posted by Stefan Bodewig <bo...@apache.org>.
Hi Ashish
On 2022-02-02, Ashish Verma V wrote:
> We are using "maven-antrun-plugin" that internally uses apache ant.
> Recently high severity vulnerability
> (CVE-2020-11979<https://ant.apache.org/security.html>) is observed
> specific to apache ant
> Kindly let us know the plan to take the latest ant version to fix this
> vulnerability.
The maven antrun plugin is not maintained by the Apache Ant project, but
by the Apache Maven project[1]. You may want to ask over there.
It is possible that Maven configures the temporary directory for the
antrun plugin in a totally different way and thus the plugin is not
affected by the vulnerability. But I am by no means an expert for the
antrun plugin and you really should ask over in Maven land to see
whether it is affected or not.
Please note the CVE we are talking about has been published more than a
year ago.
Cheers
Stefan
[1] https://maven.apache.org/plugins/maven-antrun-plugin/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org