Safeguard
Vulnerability Analysis

Apache Ant 'Get' Task Certificate Validation Failure (CVE...

CVE-2020-1945 exposes insecure temp-file handling in Apache Ant, risking data leaks and build-tampering. Affected versions, CVSS/EPSS context, and fixes inside.

Vikram Iyer
Security Researcher
Updated 7 min read

Apache Ant is one of the most enduring Java build tools in existence, powering compilation and packaging pipelines across countless enterprise codebases long before Maven and Gradle became popular. That longevity is exactly why CVE-2020-1945 matters: it's a vulnerability in how Ant handles temporary files during a build, and it affected nearly every version of the tool released over more than a decade. CVE-2020-1945 stems from Ant's reliance on the shared, system-wide temporary directory (java.io.tmpdir) for several of its tasks, which can leak sensitive build data to other local users and, in specific task combinations, let an attacker inject modified source files back into the build tree before compilation.

This post breaks down what CVE-2020-1945 actually is, which Apache Ant releases are affected, how severe the issue is in practice, and what teams running Ant-based build pipelines should do about it.

What Is CVE-2020-1945?

CVE-2020-1945 is tracked under CWE-668: Exposure of Resource to Wrong Sphere. The root problem is straightforward: several Ant tasks write intermediate files to the default temporary directory exposed by the Java system property java.io.tmpdir. On many multi-user systems, that directory is world-readable (or even world-writable), so any other local account on the same host — a common situation on shared build servers or CI runners — can potentially read files Ant drops there during a build.

The issue goes a step further with two specific tasks: fixcrlf and replaceregexp. Both tasks copy their working files from the temporary directory back into the build tree once processing finishes. Because the temp directory is shared and not scoped to the invoking user, a local attacker who can predict or race the temp file location has an opportunity to substitute their own content. If that tampered file gets copied back into the source tree by fixcrlf or replaceregexp, it can end up compiled and shipped as part of the final build artifact — a textbook build-time supply chain compromise, not just an information disclosure bug.

Affected Versions and Components

CVE-2020-1945 affects a very wide swath of the Apache Ant release history:

  • Apache Ant 1.1 through 1.9.14
  • Apache Ant 1.10.0 through 1.10.7

That range covers essentially every actively used branch of the project at the time of disclosure. The Apache Ant project fixed the flaw in Ant 1.9.15 and Ant 1.10.8, both released on May 13, 2020. Those releases introduced a new ant.tmpfile Ant property, giving build authors a way to point temp-file handling at a directory they control instead of the shared system default.

It's worth noting that CVE-2020-1945 was disclosed alongside a closely related issue, CVE-2020-11979, which the Apache Ant security team also attributes to insecure temporary file handling in the same era of releases. Any organization patching for one should confirm they've also addressed the other. The same root-cause pattern — predictable, shared, world-readable temp locations — also surfaced that same year in Google's Guava library as CVE-2020-8908, a reminder that insecure temp-directory handling is a recurring class of bug across the Java ecosystem, not a one-off Ant quirk.

Because Apache Ant is embedded — directly or transitively — inside IDEs, application servers, CI/CD tooling, and countless internal build scripts, this CVE has shown up in security bulletins from vendors well beyond the Apache project itself, including enterprise platforms that bundle Ant as part of their own build or deployment tooling.

CVSS, EPSS, and KEV Context

  • CVSS v3.1 Base Score: 6.3 (Medium) — Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
  • CVSS v2.0 Base Score: 3.3 (Low) — Vector: AV:L/AC:M/Au:N/C:P/I:P/A:N
  • EPSS: approximately 0.018 (1.8% predicted exploitation probability), placing it around the 76th percentile of scored vulnerabilities — low, but not negligible, relative likelihood compared to the broader vulnerability population.
  • CISA KEV Catalog: CVE-2020-1945 does not appear on CISA's Known Exploited Vulnerabilities list as of this writing, consistent with its local attack vector and lack of any public reporting of active exploitation.

The CVSS v3.1 vector tells the real story: the attack vector is Local (AV:L), meaning an attacker needs some form of access to the same host running the build, and attack complexity is High (AC:H), reflecting the timing/race conditions involved in exploiting the temp-file handoff. The impact, when successful, is significant — high confidentiality and integrity impact — because a successful exploit can mean either sensitive build data exposure or a tampered artifact shipping downstream. This is a classic case where the CVSS number understates the consequence of exploitation while accurately capturing how hard it is to pull off. Shared, multi-tenant build infrastructure — think self-hosted CI runners, shared developer VMs, or build agents that aren't ephemeral per job — is exactly the environment where this class of bug becomes practical.

Timeline

  • Pre-2020: The insecure temp-directory pattern exists across the full range of affected Ant releases, dating back to the 1.x series.
  • May 13, 2020: Apache Ant releases 1.9.15 and 1.10.8, fixing the temp-file handling issue and introducing the ant.tmpfile property.
  • May 14, 2020: CVE-2020-1945 is publicly disclosed and published to the NVD, alongside the related CVE-2020-11979.
  • Ongoing: The advisory continues to surface in third-party security bulletins from vendors (application servers, log analytics platforms, control-plane products) that bundle Apache Ant as a build dependency, since patching upstream doesn't automatically patch every downstream integrator.

Remediation Steps

  1. Upgrade Apache Ant. Move to 1.9.15 or later on the 1.9.x line, or 1.10.8 or later on the 1.10.x line. This is the only complete fix, since it's the release that introduces safer temp-file handling and the ant.tmpfile property.
  2. If you can't upgrade immediately, isolate the temp directory. Set the java.io.tmpdir system property to a directory that only the build user can read and write, rather than relying on the OS default shared temp path. Pass it explicitly when invoking the JVM that runs Ant.
  3. Use ant.tmpfile on patched versions. Once upgraded, explicitly set the ant.tmpfile Ant property to a private, per-build location rather than assuming the default is safe on every host you deploy to.
  4. Audit your build scripts for fixcrlf and replaceregexp usage. These are the two tasks with the confirmed source-injection path. Know where they run and whether they execute on shared infrastructure.
  5. Harden shared build infrastructure. Avoid multi-tenant build hosts where untrusted or lower-privileged users share a filesystem with your build process. Ephemeral, per-job containers or VMs for CI runners eliminate most of the local-access precondition this CVE depends on.
  6. Inventory Ant across your supply chain. Because Ant ships embedded inside other tools, patching your own build scripts isn't enough — confirm the version bundled inside any third-party platforms, IDE plugins, or legacy application servers your teams still depend on.

How Safeguard Helps

CVE-2020-1945 is a good example of why build tooling itself deserves the same scrutiny as application dependencies. A Java build tool like Apache Ant sits at a privileged point in the software supply chain — it reads source, writes artifacts, and often runs with more filesystem access than the code it's compiling. A weakness there doesn't just affect "the tool," it affects everything that tool touches.

Safeguard's platform is built to catch exactly this kind of gap. We continuously inventory the build tooling, language runtimes, and CI dependencies across your pipelines — including transitive uses of Apache Ant bundled inside other platforms — and flag versions matching known CVEs like CVE-2020-1945 before they become a finding in an audit or, worse, an incident. Rather than treating every CVE as equally urgent, Safeguard correlates CVSS severity with EPSS exploitation likelihood and KEV status so teams can prioritize the handful of build-tool and dependency issues that actually warrant immediate action over the long tail that doesn't.

Beyond version detection, Safeguard inspects the build environment configuration itself: shared versus isolated temp directories, filesystem permissions on build hosts, artifact provenance from source through packaging, and TLS validation on every external download a pipeline makes — the same class of build-integrity hygiene that would have blunted the impact of CVE-2020-1945 even before a patch was applied. That combination of software composition visibility and build-environment posture checking is what lets teams trust that what left the build pipeline is what they intended to ship — not something quietly substituted along the way.

Sources: Apache Ant Security Reports, NVD CVE-2020-1945, GitHub Advisory GHSA-4p6w-m9wc-c9c9, FIRST.org EPSS

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.