Vulnerability in Ansible Engine and Ansible Tower Affecting Decryption Process
CVE-2020-10685

5MEDIUM

Key Information:

Vendor: Red Hat
Status: Ansible
Vendor: CVE Published:; 11 May 2020

Summary

A security flaw exists in Ansible Engine and Ansible Tower that affects versions utilizing modules to decrypt vault files. The issue arises when decrypted temporary files are stored in the /tmp directory, which is not cleared until the system reboots. This flaw poses a significant risk, especially on systems where /tmp is not configured as a temporary filesystem. As a result, sensitive decrypted data may remain accessible after runtime, making it imperative for users to ensure this data is removed immediately after use to avoid potential exposure.

Affected Version(s)

Ansible ansible-engine versions 2.7.x before 2.7.17

Ansible ansible-engine 2.8.x before 2.8.11

Ansible ansible-engine 2.9.x before 2.9.7

References

https://security.gentoo.org/glsa/202006-11

vendor-advisory

https://www.debian.org/security/2021/dsa-4950

vendor-advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10685

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 11, 2020
Vulnerability Reserved
Mar 20, 2020