Moderate severityNVD Advisory· Published Mar 16, 2020· Updated Aug 4, 2024
CVE-2020-1736
CVE-2020-1736
Description
A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ansiblePyPI | >= 2.7.0, <= 2.10.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-x7jh-595q-wq82ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NYYQP2XJB2TTRP6AKWVMBSPB2DFJNKD/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPNZWBAUP4ZHUR6PO7U6ZXEKNCX62KZ7/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-1736ghsaADVISORY
- security.gentoo.org/glsa/202006-11ghsavendor-advisoryx_refsource_GENTOOWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/ansible/ansible/issues/67794ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-8.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NYYQP2XJB2TTRP6AKWVMBSPB2DFJNKDghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPNZWBAUP4ZHUR6PO7U6ZXEKNCX62KZ7ghsaWEB
News mentions
0No linked articles in our index yet.