Low severityNVD Advisory· Published May 15, 2020· Updated Aug 4, 2024

CVE-2020-10744

Description

An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected and Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ansiblePyPI	>= 2.10.0a1, < 2.10.0rc1	2.10.0rc1
ansiblePyPI	< 2.9.12	2.9.12

Affected products

Red Hat/Ansiblev5
Range: ansible-engine 2.7.18 and prior

Patches

84afa8e90cd1

Fix missing quoting for remote_tmp in second mkdir of shell module. Issue #69577 (#69578) (#70758)

https://github.com/ansible/ansibleBaptiste Mille-MathiasAug 6, 2020via ghsa

commit

3 files changed · +8 −1

changelogs/fragments/69578-shell-remote_tmp-quoting.yaml+2 −0 added

@@ -0,0 +1,2 @@
+bugfixes:
+  - shell - fix quoting of mkdir command in creation of remote_tmp in order to allow spaces and other special characters (https://github.com/ansible/ansible/issues/69577).

lib/ansible/plugins/shell/__init__.py+1 −1 modified

@@ -157,7 +157,7 @@ def mkdtemp(self, basefile=None, system=False, mode=0o700, tmpdir=None):
 
         # use mkdir -p to ensure parents exist, but mkdir fullpath to ensure last one is created by us
         cmd = 'mkdir -p %s echo %s %s' % (self._SHELL_SUB_LEFT, basetmpdir, self._SHELL_SUB_RIGHT)
-        cmd += '%s mkdir %s' % (self._SHELL_AND, basetmp)
+        cmd += '%s mkdir %s echo %s %s' % (self._SHELL_AND, self._SHELL_SUB_LEFT, basetmp, self._SHELL_SUB_RIGHT)
         cmd += ' %s echo %s=%s echo %s %s' % (self._SHELL_AND, basefile, self._SHELL_SUB_LEFT, basetmp, self._SHELL_SUB_RIGHT)
 
         # change the umask in a subshell to achieve the desired mode

test/integration/targets/config/runme.sh+5 −0 modified

@@ -8,3 +8,8 @@ ANSIBLE_TIMEOUT= ansible -m ping testhost -i ../../inventory "$@"
 
 # env var is wrong type, this should be a fatal error pointing at the setting
 ANSIBLE_TIMEOUT='lola' ansible -m ping testhost -i ../../inventory "$@" 2>&1|grep 'Invalid type for configuration option setting: DEFAULT_TIMEOUT'
+
+# https://github.com/ansible/ansible/issues/69577                                                         
+ANSIBLE_REMOTE_TMP="$HOME/.ansible/directory_with_no_space"  ansible -m ping testhost -i ../../inventory "$@" 
+                                                                                                          
+ANSIBLE_REMOTE_TMP="$HOME/.ansible/directory with space"  ansible -m ping testhost -i ../../inventory "$@"
\ No newline at end of file

ffd3757fc354

Fix missing quoting for remote_tmp in second mkdir of shell module. Issue #69577 (#69578) (#70757)

https://github.com/ansible/ansibleBaptiste Mille-MathiasJul 21, 2020via ghsa

commit

3 files changed · +8 −1

changelogs/fragments/69578-shell-remote_tmp-quoting.yaml+2 −0 added

@@ -0,0 +1,2 @@
+bugfixes:
+  - shell - fix quoting of mkdir command in creation of remote_tmp in order to allow spaces and other special characters (https://github.com/ansible/ansible/issues/69577).

lib/ansible/plugins/shell/__init__.py+1 −1 modified

@@ -157,7 +157,7 @@ def mkdtemp(self, basefile=None, system=False, mode=0o700, tmpdir=None):
 
         # use mkdir -p to ensure parents exist, but mkdir fullpath to ensure last one is created by us
         cmd = 'mkdir -p %s echo %s %s' % (self._SHELL_SUB_LEFT, basetmpdir, self._SHELL_SUB_RIGHT)
-        cmd += '%s mkdir %s' % (self._SHELL_AND, basetmp)
+        cmd += '%s mkdir %s echo %s %s' % (self._SHELL_AND, self._SHELL_SUB_LEFT, basetmp, self._SHELL_SUB_RIGHT)
         cmd += ' %s echo %s=%s echo %s %s' % (self._SHELL_AND, basefile, self._SHELL_SUB_LEFT, basetmp, self._SHELL_SUB_RIGHT)
 
         # change the umask in a subshell to achieve the desired mode

test/integration/targets/config/runme.sh+5 −0 modified

@@ -8,3 +8,8 @@ ANSIBLE_TIMEOUT= ansible -m ping testhost -i ../../inventory "$@"
 
 # env var is wrong type, this should be a fatal error pointing at the setting
 ANSIBLE_TIMEOUT='lola' ansible -m ping testhost -i ../../inventory "$@" 2>&1|grep 'Invalid type for configuration option setting: DEFAULT_TIMEOUT'
+
+# https://github.com/ansible/ansible/issues/69577                                                         
+ANSIBLE_REMOTE_TMP="$HOME/.ansible/directory_with_no_space"  ansible -m ping testhost -i ../../inventory "$@" 
+                                                                                                          
+ANSIBLE_REMOTE_TMP="$HOME/.ansible/directory with space"  ansible -m ping testhost -i ../../inventory "$@"
\ No newline at end of file

77d0effcc5b2

Fix missing quoting for remote_tmp in second mkdir of shell module. Issue #69577 (#69578)

https://github.com/ansible/ansibleBrian KohlesJul 20, 2020via ghsa

commit

3 files changed · +8 −1

changelogs/fragments/69578-shell-remote_tmp-quoting.yaml+2 −0 added

@@ -0,0 +1,2 @@
+bugfixes:
+  - shell - fix quoting of mkdir command in creation of remote_tmp in order to allow spaces and other special characters (https://github.com/ansible/ansible/issues/69577).

lib/ansible/plugins/shell/__init__.py+1 −1 modified

@@ -164,7 +164,7 @@ def mkdtemp(self, basefile=None, system=False, mode=0o700, tmpdir=None):
 
         # use mkdir -p to ensure parents exist, but mkdir fullpath to ensure last one is created by us
         cmd = 'mkdir -p %s echo %s %s' % (self._SHELL_SUB_LEFT, basetmpdir, self._SHELL_SUB_RIGHT)
-        cmd += '%s mkdir %s' % (self._SHELL_AND, basetmp)
+        cmd += '%s mkdir %s echo %s %s' % (self._SHELL_AND, self._SHELL_SUB_LEFT, basetmp, self._SHELL_SUB_RIGHT)
         cmd += ' %s echo %s=%s echo %s %s' % (self._SHELL_AND, basefile, self._SHELL_SUB_LEFT, basetmp, self._SHELL_SUB_RIGHT)
 
         # change the umask in a subshell to achieve the desired mode

test/integration/targets/config/runme.sh+5 −0 modified

@@ -8,3 +8,8 @@ ANSIBLE_TIMEOUT= ansible -m ping testhost -i ../../inventory "$@"
 
 # env var is wrong type, this should be a fatal error pointing at the setting
 ANSIBLE_TIMEOUT='lola' ansible -m ping testhost -i ../../inventory "$@" 2>&1|grep 'Invalid type for configuration option setting: DEFAULT_TIMEOUT'
+
+# https://github.com/ansible/ansible/issues/69577                                                         
+ANSIBLE_REMOTE_TMP="$HOME/.ansible/directory_with_no_space"  ansible -m ping testhost -i ../../inventory "$@" 
+                                                                                                          
+ANSIBLE_REMOTE_TMP="$HOME/.ansible/directory with space"  ansible -m ping testhost -i ../../inventory "$@"
\ No newline at end of file

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vp9j-rghq-8jhhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-10744ghsaADVISORY
bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
github.com/ansible/ansible/commit/77d0effcc5b2da1ef23e4ba32986a9759c27c10dghsaWEB
github.com/ansible/ansible/commit/84afa8e90cd168ff13208c8eae3e533ce7e21e1fghsaWEB
github.com/ansible/ansible/commit/ffd3757fc35468a97791e452e7f2d14c3e3fcb80ghsaWEB
github.com/ansible/ansible/issues/69782ghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-208.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000