Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2020-1945

CVE-2020-1945: Apache Ant Information Disclosure Flaw

CVE-2020-1945 is an information disclosure vulnerability in Apache Ant that exposes sensitive data through temporary directories and enables file injection attacks. This article covers technical details, affected versions, and mitigation strategies.

Published: March 4, 2026

CVE-2020-1945 Overview

Apache Ant versions 1.1 through 1.9.14 and 1.10.0 through 1.10.7 contain an insecure temporary file handling vulnerability that can lead to sensitive information disclosure and build process compromise. The vulnerability arises from Apache Ant's use of the default temporary directory identified by the Java system property java.io.tmpdir for several tasks. This insecure practice allows local attackers to potentially read sensitive data processed during builds. Furthermore, the fixcrlf and replaceregexp tasks copy files from the temporary directory back into the build tree, enabling an attacker to inject modified source files into the build process.

Critical Impact

Local attackers can exploit insecure temporary file handling to leak sensitive build information and inject malicious code into the build process, potentially compromising software integrity.

Affected Products

  • Apache Ant 1.1 through 1.9.14
  • Apache Ant 1.10.0 through 1.10.7
  • Canonical Ubuntu Linux 19.10
  • Fedora 31 and 32
  • openSUSE Leap 15.2
  • Oracle Agile Engineering Data Management 6.2.1.0
  • Oracle Banking Enterprise Collections, Liquidity Management, and Platform
  • Oracle Business Process Management Suite 12.2.1.3.0 and 12.2.1.4.0
  • Oracle Communications ASAP, Diameter Signaling Router, MetaSolv Solution
  • Oracle Data Integrator 12.2.1.3.0 and 12.2.1.4.0
  • Oracle Primavera Gateway and Unifier (multiple versions)
  • Oracle Retail Suite (multiple products and versions)
  • Oracle TimesTen In-Memory Database
  • Oracle Utilities Framework

Discovery Timeline

  • May 14, 2020 - CVE-2020-1945 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2020-1945

Vulnerability Analysis

This vulnerability (CWE-668: Exposure of Resource to Wrong Sphere) stems from Apache Ant's improper handling of temporary files during build operations. When Ant executes certain tasks, it creates temporary files in the system's default temporary directory without implementing proper access controls or using secure random naming conventions. On multi-user systems, the default temporary directory (typically /tmp on Unix-like systems or %TEMP% on Windows) is world-readable, which means any local user can potentially access files created there.

The vulnerability becomes particularly dangerous because the fixcrlf and replaceregexp tasks not only read from the temporary directory but also copy processed files back into the build tree. This bidirectional file flow creates an opportunity for attackers to plant malicious content in the temporary directory, which then gets incorporated into the legitimate build output. This attack vector could lead to supply chain compromises where malicious code is injected into software during the build process.

Root Cause

The root cause of this vulnerability is the use of the system-wide default temporary directory (java.io.tmpdir) without implementing proper security measures. Apache Ant failed to create task-specific temporary directories with restricted permissions, generate cryptographically random temporary file names to prevent prediction, validate file integrity before copying temporary files back to the build tree, and implement proper file locking mechanisms. This design flaw exposes build artifacts to local attackers who share access to the same temporary directory.

Attack Vector

The attack requires local access to the system where Apache Ant builds are being executed. An attacker positioned on the same system can exploit this vulnerability through the following mechanism:

During an Ant build process, the attacker monitors the default temporary directory for files created by vulnerable Ant tasks. Since the temporary directory is typically world-readable on multi-user systems, the attacker can read sensitive build configuration data, credentials, or source code that Ant processes through temporary files.

For the more severe attack scenario involving code injection, the attacker can predict or race to replace temporary files before the fixcrlf or replaceregexp tasks copy them back to the build directory. By successfully injecting malicious content into these temporary files, the attacker can compromise the integrity of the build output. This could result in backdoored binaries or altered source files being distributed to end users.

Detection Methods for CVE-2020-1945

Indicators of Compromise

  • Unexpected files appearing in the system's default temporary directory with patterns matching Ant task temporary file naming
  • Modified source files in build directories that differ from version control without corresponding developer changes
  • Build output artifacts containing unexpected code or binaries not present in the original source
  • Log entries showing unusual file access patterns in /tmp or %TEMP% directories during Ant build execution

Detection Strategies

  • Monitor file system activity in the default temporary directory (/tmp, /var/tmp, or %TEMP%) during Ant build processes for suspicious read/write operations by unauthorized users
  • Implement file integrity monitoring on build directories to detect unauthorized modifications to source files after build tasks complete
  • Audit Apache Ant installation versions across the infrastructure to identify vulnerable deployments running versions prior to 1.9.15 or 1.10.8
  • Deploy endpoint detection capabilities to identify race condition exploitation attempts targeting temporary files

Monitoring Recommendations

  • Enable detailed logging for Ant build processes to capture all file operations and detect anomalies
  • Implement real-time monitoring of build server temporary directories during active build windows
  • Configure alerts for any modifications to build output that do not correlate with legitimate source code changes
  • Establish baseline file access patterns for build processes to identify deviations indicating potential exploitation

How to Mitigate CVE-2020-1945

Immediate Actions Required

  • Upgrade Apache Ant to version 1.9.15 or later (for 1.9.x branch) or version 1.10.8 or later (for 1.10.x branch) immediately
  • Review all systems running vulnerable Apache Ant versions and prioritize patching based on exposure and criticality
  • Audit recent build outputs from vulnerable systems for signs of tampering or unauthorized modifications
  • Restrict access to build servers to minimize the number of local users who could exploit this vulnerability

Patch Information

Apache has released patched versions that address this vulnerability. Users should upgrade to Apache Ant 1.9.15 or later for the 1.9.x release branch, or Apache Ant 1.10.8 or later for the 1.10.x release branch. The patches implement secure temporary file handling with proper access controls and directory isolation. For detailed patch information, refer to the Apache Ant Security Advisory.

Oracle has also released multiple Critical Patch Updates addressing this vulnerability in affected Oracle products. See the Oracle CPU July 2020 and subsequent security alerts for Oracle-specific guidance.

Linux distributions have released updates: Ubuntu Security Notice USN-4380-1, Gentoo GLSA 202007-34, and Fedora package updates are available for affected distributions.

Workarounds

  • Configure a dedicated temporary directory with restricted permissions for Ant builds by setting the java.io.tmpdir system property to a secure, non-shared location
  • Run Ant builds under dedicated service accounts with isolated home directories and temporary file locations
  • Implement build server isolation to prevent local users from accessing the same temporary directories used by build processes
  • Use containerized build environments (Docker, Podman) to isolate temporary file operations from other system users
bash
# Configuration example - Set secure temporary directory for Ant builds
# Option 1: Set via ANT_OPTS environment variable
export ANT_OPTS="-Djava.io.tmpdir=/secure/build/tmp"

# Option 2: Create isolated temp directory with restricted permissions
mkdir -p /opt/ant-secure-tmp
chmod 700 /opt/ant-secure-tmp
chown builduser:buildgroup /opt/ant-secure-tmp

# Run Ant with isolated temporary directory
ant -Djava.io.tmpdir=/opt/ant-secure-tmp build

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechApache Ant
  • SeverityMEDIUM
  • CVSS Score6.3
  • EPSS Probability0.02%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-668
  • Technical References
  • openSUSE Security Announcement
  • OpenWall OSS-Security Update
  • OpenWall OSS-Security Discussion
  • Apache Hive Issue Discussion
  • Apache Creadur Development Thread
  • Apache Creadur Development Update
  • Apache Creadur Development Note
  • Apache Hive Development Communication
  • Apache Creadur Update Notice
  • Apache Creadur Thread
  • Apache Creadur Development Inquiry
  • Apache Hive Issue Discussion
  • Apache Hive Issue Review
  • Apache Creadur Development Update
  • Apache MyFaces Commit Notice
  • Apache Creadur Development Update
  • Apache Creadur Communication
  • Apache Groovy Notification
  • Apache Groovy Commit Notice
  • Apache Torque Development Discussion
  • Apache Hive Issue Update
  • Apache Hive Issue Inquiry
  • Apache Ant Development Thread
  • Apache Creadur Development Discussion
  • Apache Announce Thread
  • Apache Groovy Development Thread
  • Apache Groovy User Inquiry
  • Apache Groovy Notification
  • Apache Creadur Development Update
  • Apache MyFaces Commit Note
  • Apache Announce Notice
  • Apache Creadur Development Inquiry
  • Apache Ant Development Update
  • Apache Ant User Discussion
  • Apache Groovy Notification
  • Apache Creadur Development Communication
  • Apache Creadur Inquiry
  • Apache Creadur Commit Notice
  • Apache Creadur Issue Update
  • Fedora Package Announcement
  • Fedora Package Announcement
  • Gentoo GLSA 202007-34
  • Ubuntu Security Notice USN-4380-1
  • Vendor Resources
  • Apache Hive Issue Follow-Up
  • Oracle CPU July 2021 Security Alert
  • Oracle CPU April 2021 Security Alert
  • Oracle CPU January 2021 Security Alert
  • Oracle CPU January 2022 Security Alert
  • Oracle CPU July 2020 Security Alert
  • Oracle CPU October 2020 Security Alert
  • Oracle CPU October 2021 Security Alert
  • Oracle
  • Related CVEs
  • CVE-2021-36374: Apache Ant DOS Vulnerability
  • CVE-2021-36373: Apache Ant DOS Vulnerability
  • CVE-2020-11979: Apache Ant Temporary File Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English