CVE-2013-4260 — Improper Preservation of Permissions in Redhat Ansible

CWE-264 CWE-281 — Improper Preservation of Permissions9 documents6 sources

Severity

3.3LOWNVD

EPSS

0.1%

top 75.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible

Timeline

PublishedSep 16

Latest updateMay 14

Description

lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when playbook does not run due to an error, allows local users to overwrite arbitrary files via a symlink attack on a retry file with a predictable name in /var/tmp/ansible/.

CVSS vector

AV:L/AC:M/C:N/I:P/A:PExploitability: 3.4 | Impact: 4.9

Affected Packages2 packages

▶PyPIredhat/ansible1.2 — 1.2.3+1

▶NVDredhat/ansible1.2, 1.2.1, 1.2.2+2

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

OSV

Ansible Arbitrary File Overwrite Vulnerability↗2022-05-14

▶

GHSA

Ansible Arbitrary File Overwrite Vulnerability↗2022-05-14

▶

CVEList

CVE-2013-4260: lib/ansible/playbook/__init__↗2013-09-16

▶

OSV

CVE-2013-4260: lib/ansible/playbook/__init__↗2013-09-16

▶

📋Vendor Advisories

Debian

CVE-2013-4260: ansible - lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when playbook do...↗2013

▶

💬Community

Bugzilla

CVE-2013-4259 CVE-2013-4260 ansible: various flaws [fedora-all]↗2013-08-21

▶

Bugzilla

CVE-2013-4260 ansible: predictible filename used for failed result in world writable directory [epel-6]↗2013-08-21

▶

Bugzilla

CVE-2013-4260 ansible: predictible filename used for failed result in world writable directory↗2013-08-18

▶