You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ant.apache.org by Ashish Verma V <as...@ericsson.com.INVALID> on 2022/02/02 10:27:34 UTC

Apache Ant Vulnerability

Hi Team,

We are using "maven-antrun-plugin" that internally uses apache ant.

Recently high severity vulnerability (CVE-2020-11979<https://ant.apache.org/security.html>) is observed specific to apache ant

This CVE is fixed on apache ant version Ant 1.10.9. Although latest maven-antrun-plugin (v3.0.0) is using older apache ant version (ie. Apache ant 1.9.14) that is impacted
with this vulnerability.

Kindly let us know the plan to take the latest ant version to fix this vulnerability.

Thanks
Ashish Verma

Re: Apache Ant Vulnerability

Posted by Stefan Bodewig <bo...@apache.org>.

Hi Ashish

On 2022-02-02, Ashish Verma V wrote:

> We are using "maven-antrun-plugin" that internally uses apache ant.

> Recently high severity vulnerability
> (CVE-2020-11979<https://ant.apache.org/security.html>) is observed
> specific to apache ant

> Kindly let us know the plan to take the latest ant version to fix this
> vulnerability.

The maven antrun plugin is not maintained by the Apache Ant project, but
by the Apache Maven project[1]. You may want to ask over there.

It is possible that Maven configures the temporary directory for the
antrun plugin in a totally different way and thus the plugin is not
affected by the vulnerability. But I am by no means an expert for the
antrun plugin and you really should ask over in Maven land to see
whether it is affected or not.

Please note the CVE we are talking about has been published more than a
year ago.

Cheers

        Stefan

[1] https://maven.apache.org/plugins/maven-antrun-plugin/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org