Archive Traversal Vulnerability in Ansible Engine by Red Hat
CVE-2020-10691

5.2MEDIUM

Key Information:

Vendor
Red Hat
Status
Ansible
Vendor
CVE Published:
30 April 2020

Summary

An archive traversal flaw is present in all versions of Ansible Engine 2.9.x prior to 2.9.7. This vulnerability is triggered when using the 'ansible-galaxy collection install' command, allowing an attacker to extract a malicious .tar.gz collection file. The flaw stems from the lack of filename sanitization during directory creation, enabling potential overwriting of any file on the system, thereby compromising system integrity. Users are advised to upgrade to version 2.9.7 or later to mitigate this risk.

Affected Version(s)

Ansible all ansible-engine versions 2.9.x prior to 2.9.7

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691
x_refsource_CONFIRM
https://github.com/ansible/ansible/pull/68596
x_refsource_CONFIRM

CVSS V3.1

Score:
5.2
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.