CVE-2020-10691

An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.

CVSS v3 5.2 MEDIUM
CVSS v2.0 3.6 LOW

5.2^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.0 / Impact : 2.7

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

3.6^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:N/I:P/A:P

Exploitability : 3.9 / Impact : 4.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691	Issue Tracking Mitigation Vendor Advisory
https://github.com/ansible/ansible/pull/68596	Patch Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691	Issue Tracking Mitigation Vendor Advisory
https://github.com/ansible/ansible/pull/68596	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:redhat:ansible_tower:3.0:*:*:*:*:*:*:*

History

21 Nov 2024, 04:55

Type	Values Removed	Values Added
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691 - Issue Tracking, Mitigation, Vendor Advisory~~	() https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691 - Issue Tracking, Mitigation, Vendor Advisory
References	~~() https://github.com/ansible/ansible/pull/68596 - Patch, Third Party Advisory~~	() https://github.com/ansible/ansible/pull/68596 - Patch, Third Party Advisory

Information

Published : 2020-04-30 17:15

Updated : 2024-11-21 04:55

NVD link : CVE-2020-10691

Mitre link : CVE-2020-10691

CVE.ORG link : CVE-2020-10691

JSON object : View

Products Affected

redhat

ansible_engine
ansible_tower

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2020-10691", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 2.7, "exploitabilityScore": 2.0}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 2.7, "exploitabilityScore": 2.0}]}, "published": "2020-04-30T17:15:11.957", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691", "tags": ["Issue Tracking", "Mitigation", "Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/ansible/ansible/pull/68596", "tags": ["Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691", "tags": ["Issue Tracking", "Mitigation", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/ansible/ansible/pull/68596", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system."}, {"lang": "es", "value": "Se ha detectado un fallo de salto de archivo en todas las versiones de ansible-engine 2.9.x anteriores a 2.9.7, cuando se ejecuta una instalaci\u00f3n de una colecci\u00f3n ansible-galaxy. Al extraer un archivo .tar.gz de la colecci\u00f3n, el directorio es creado sin sanear el nombre del archivo. Un atacante podr\u00eda aprovechar para sobrescribir cualquier archivo dentro del sistema."}], "lastModified": "2024-11-21T04:55:51.900", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9CB17437-BAA5-41DF-B0EB-857441A81804", "versionEndExcluding": "2.9.7", "versionStartIncluding": "2.9.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_tower:3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B31C575C-06D2-4CAF-A5B7-B9469B3ED55F"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}