As documented in CVE-2020-1945, Apache Ant versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 use the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. Moreover, the fixcrlf and replaceregexp tasks copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the Codehaus Cargo container configuration generation process, a security issue still existing in Apache Ant 1.9.15 and 1.10.8. Last but not least, Apache Ant versions up to 1.9.15 / 1.10.10 suffer from an issue where a specially crafted ZIP or TAR file can make the associated libraries allocate very large amounts of memory (and cause a JVM crash, as explained in CVE-2021-36373 and CVE-2021-36374). We hence strongly recommend only using Apache Ant version 1versionĀ 1.9.15 16 and above (if you need to stick to the Apache Ant 1.9.x branch), or Apache Ant version 1.10.9 11 and above in general. |