CVE-2020-10691
published 2020-04-30CVE-2020-10691: An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a…
medium5.2CVSS 3.1
AVLACLPRLUINSCCNILAL
An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ansible | < ansible 2.9.7+dfsg-1 (bookworm) | ansible 2.9.7+dfsg-1 (bookworm) |
| red_hat | ansible | — | — |
| redhat | ansible | >= 0 < 2.9.7+dfsg-1 | 2.9.7+dfsg-1 |
| redhat | ansible | >= 0 < 2.9.7+dfsg-1 | 2.9.7+dfsg-1 |
| redhat | ansible | >= 0 < 2.9.7+dfsg-1 | 2.9.7+dfsg-1 |
| redhat | ansible | >= 0 < 2.9.7+dfsg-1 | 2.9.7+dfsg-1 |
| redhat | ansible | >= 2.9.0a1 < 2.9.7 | 2.9.7 |
| redhat | ansible_engine | >= 2.9.0 < 2.9.7 | 2.9.7 |
| redhat | ansible_tower | — | — |
CVSS provenance
nvdv3.15.2MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
osv5.2MEDIUM