Skip to content

Exposure of Resource to Wrong Sphere and Insecure Temporary File in Ansible

Moderate severity GitHub Reviewed Published Feb 9, 2022 to the GitHub Advisory Database • Updated Sep 9, 2024

Package

pip ansible (pip)

Affected versions

>= 2.10.0a1, < 2.10.0rc1
< 2.9.12

Patched versions

2.10.0rc1
2.9.12

Description

An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected and Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected.

References

Published by the National Vulnerability Database May 15, 2020
Reviewed Apr 5, 2021
Published to the GitHub Advisory Database Feb 9, 2022
Last updated Sep 9, 2024

Severity

Moderate

EPSS score

0.044%
(14th percentile)

Weaknesses

CVE ID

CVE-2020-10744

GHSA ID

GHSA-vp9j-rghq-8jhh

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.