CVE-2020-1740
Severity
4.7MEDIUM
EPSS
0.0%
top 91.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 16
Latest updateApr 7
Description
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to …
CVSS vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 0.8 | Impact: 2.7
Affected Packages7 packages
Also affects: Debian Linux 10.0, 8.0, Fedora 30, 31, 32
🔴Vulnerability Details
4OSV▶
Exposure of Sensitive Information to an Unauthorized Actor and Insecure Temporary File in Ansible↗2021-04-07
GHSA▶
Exposure of Sensitive Information to an Unauthorized Actor and Insecure Temporary File in Ansible↗2021-04-07
CVEList▶
CVE-2020-1740: A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files↗2020-03-16
OSV▶
CVE-2020-1740: A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files↗2020-03-16
📋Vendor Advisories
2💬Community
6Bugzilla▶
CVE-2020-27769 ImageMagick: outside the range of representable values of type 'float' at MagickCore/quantize.c↗2020-11-04
Bugzilla
▶