CVE-2020-10744

CWE-377CWE-362Race ConditionCWE-668Exposure to Wrong Sphere14 documents9 sources
Severity
5.0MEDIUM
EPSS
0.0%
top 88.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Redhat AnsibleRedhat Ansible TowerRED HAT Ansible
Timeline
PublishedMay 15
Latest updateJun 7

Description

An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected and Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:LExploitability: 0.8 | Impact: 3.7

Affected Packages5 packages

NVDredhat/ansible_tower3.4.03.4.5+2
PyPIansible2.10.0a12.10.0rc1+1
Debianansible< 2.9.13+dfsg-1+3
NVDredhat/ansible2.7.02.7.18+2
CVEListV5red_hat/ansible6 versions+5

🔴Vulnerability Details

5
OSV
ansible vulnerabilities2022-06-07
OSV
Exposure of Resource to Wrong Sphere and Insecure Temporary File in Ansible2022-02-09
GHSA
Exposure of Resource to Wrong Sphere and Insecure Temporary File in Ansible2022-02-09
CVEList
CVE-2020-10744: An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive2020-05-15
OSV
CVE-2020-10744: An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive2020-05-15

📋Vendor Advisories

4
Ubuntu
Ansible vulnerabilities2022-06-07
Red Hat
ansible: incomplete fix for CVE-2020-17332020-05-14
Microsoft
An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the 2020-05-12
Debian
CVE-2020-10744: ansible - An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insec...2020

💬Community

4
Bugzilla
CVE-2020-10744 ansible: incomplete fix for CVE-2020-1733 [fedora-all]2020-05-14
Bugzilla
CVE-2020-10744 ansible: incomplete fix for CVE-2020-1733 [openstack-rdo]2020-05-14
Bugzilla
CVE-2020-10744 ansible: incomplete fix for CVE-2020-17332020-05-14
Bugzilla
CVE-2020-10744 ansible: incomplete fix for CVE-2020-1733 [epel-all]2020-05-14