Action not permitted
Modal body text goes here.
CVE-2020-1733
Vulnerability from cvelistv5
Published
2020-03-11 18:47
Modified
2024-08-04 06:46
Severity ?
EPSS score ?
Summary
A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/<pid>/cmdline'.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T06:46:30.850Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/ansible/ansible/issues/67791" }, { "name": "FEDORA-2020-1b6ce91e37", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/" }, { "name": "FEDORA-2020-3990f03ba3", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/" }, { "name": "FEDORA-2020-f80154b5b4", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/" }, { "name": "[debian-lts-announce] 20200505 [SECURITY] [DLA 2202-1] ansible security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html" }, { "name": "GLSA-202006-11", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202006-11" }, { "name": "DSA-4950", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4950" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Ansible", "vendor": "Red Hat", "versions": [ { "status": "affected", "version": "2.7.17 and prior" }, { "status": "affected", "version": "2.8.9 and prior" }, { "status": "affected", "version": "2.9.6 and prior" } ] } ], "descriptions": [ { "lang": "en", "value": "A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 \u0026\u0026 mkdir -p \u003cdir\u003e\"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating \u0027/proc/\u003cpid\u003e/cmdline\u0027." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-377", "description": "CWE-377", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-08-07T14:06:41", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/ansible/ansible/issues/67791" }, { "name": "FEDORA-2020-1b6ce91e37", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/" }, { "name": "FEDORA-2020-3990f03ba3", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/" }, { "name": "FEDORA-2020-f80154b5b4", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/" }, { "name": "[debian-lts-announce] 20200505 [SECURITY] [DLA 2202-1] ansible security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html" }, { "name": "GLSA-202006-11", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202006-11" }, { "name": "DSA-4950", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2021/dsa-4950" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-1733", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Ansible", "version": { "version_data": [ { "version_value": "2.7.17 and prior" }, { "version_value": "2.8.9 and prior" }, { "version_value": "2.9.6 and prior" } ] } } ] }, "vendor_name": "Red Hat" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 \u0026\u0026 mkdir -p \u003cdir\u003e\"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating \u0027/proc/\u003cpid\u003e/cmdline\u0027." } ] }, "impact": { "cvss": [ [ { "vectorString": "5/CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.0" } ] ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-377" } ] } ] }, "references": { "reference_data": [ { "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733" }, { "name": "https://github.com/ansible/ansible/issues/67791", "refsource": "MISC", "url": "https://github.com/ansible/ansible/issues/67791" }, { "name": "FEDORA-2020-1b6ce91e37", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/" }, { "name": "FEDORA-2020-3990f03ba3", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/" }, { "name": "FEDORA-2020-f80154b5b4", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/" }, { "name": "[debian-lts-announce] 20200505 [SECURITY] [DLA 2202-1] ansible security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html" }, { "name": "GLSA-202006-11", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202006-11" }, { "name": "DSA-4950", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4950" } ] } } } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-1733", "datePublished": "2020-03-11T18:47:40", "dateReserved": "2019-11-27T00:00:00", "dateUpdated": "2024-08-04T06:46:30.850Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2020-1733\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2020-03-11T19:15:13.030\",\"lastModified\":\"2023-11-07T03:19:30.637\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \\\"umask 77 \u0026\u0026 mkdir -p \u003cdir\u003e\\\"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating \u0027/proc/\u003cpid\u003e/cmdline\u0027.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 un fallo de condici\u00f3n de carrera en Ansible Engine versiones 2.7.17 y anteriores, 2.8.9 y anteriores, 2.9.6 y anteriores, cuando se ejecuta un playbook con un usuario convertido a no privilegiado. Cuando Ansible necesita ejecutar un m\u00f3dulo con un usuario convertido, el directorio temporal es creado en /var/tmp. Este directorio se crea con \\\"umask 77 \u0026amp;\u0026amp; mkdir -p (dir)\\\"; Esta operaci\u00f3n no tiene un fallo si el directorio ya existe y es propiedad de otro usuario. Un atacante podr\u00eda tomar ventaja para tomar el control del usuario convertido, ya que el directorio de destino puede ser recuperado iterando \\\"/proc//cmdline\\\".\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":0.8,\"impactScore\":3.7},{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":0.8,\"impactScore\":3.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:H/Au:N/C:P/I:P/A:P\",\"accessVector\":\"LOCAL\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":3.7},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":1.9,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]},{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-377\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.7.16\",\"matchCriteriaId\":\"89338CDC-A956-4F24-A2A2-EA5CFD78F235\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.8.0\",\"versionEndExcluding\":\"2.8.8\",\"matchCriteriaId\":\"11CEC9EC-8999-4E40-92CA-AA68D623129D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.9.0\",\"versionEndIncluding\":\"2.9.5\",\"matchCriteriaId\":\"FA56E1B5-A742-4D2E-BF0B-C806689A3E05\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.3.4\",\"matchCriteriaId\":\"C3C5721F-050A-42A3-A71D-6C6BA23D58FE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.3.5\",\"versionEndIncluding\":\"3.4.5\",\"matchCriteriaId\":\"64DD1400-5512-493E-85DB-B3C18FBB2DBB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.5.0\",\"versionEndIncluding\":\"3.5.5\",\"matchCriteriaId\":\"F2062F74-68D8-4E75-BC69-6038B519F823\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.6.0\",\"versionEndIncluding\":\"3.6.3\",\"matchCriteriaId\":\"342D4A63-0972-413B-BD65-0495DBF1CDFB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7098B44F-56BF-42E3-8831-48D0A8E99EE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"704CFA1A-953E-4105-BFBE-406034B83DED\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"97A4B8DF-58DA-4AB6-A1F9-331B36409BA3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36D96259-24BD-44E2-96D9-78CE1D41F956\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/ansible/ansible/issues/67791\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://security.gentoo.org/glsa/202006-11\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4950\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]}]}}" } }
pysec-2020-5
Vulnerability from pysec
Published
2020-03-11 19:15
Modified
2020-06-13 04:15
Details
A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p
Aliases
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "ansible", "purl": "pkg:pypi/ansible" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.7.17" }, { "introduced": "2.8.0" }, { "fixed": "2.8.8" }, { "introduced": "2.9.0" }, { "fixed": "2.9.6" } ], "type": "ECOSYSTEM" } ], "versions": [ "1.0", "1.1", "1.2", "1.2.1", "1.2.2", "1.2.3", "1.3.0", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.4", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.4.5", "1.5", "1.5.1", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.6", "1.6.1", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.6.6", "1.6.7", "1.6.8", "1.6.9", "1.6.10", "1.7", "1.7.1", "1.7.2", "1.8", "1.8.1", "1.8.2", "1.8.3", "1.8.4", "1.9.0", "1.9.0.1", "1.9.1", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "2.0.0.0", "2.0.0", "2.0.0.1", "2.0.0.2", "2.0.1.0", "2.0.2.0", "2.1.0.0", "2.1.1.0", "2.1.2.0", "2.1.3.0", "2.1.4.0", "2.1.5.0", "2.1.6.0", "2.2.0.0", "2.2.1.0", "2.2.2.0", "2.2.3.0", "2.3.0.0", "2.3.1.0", "2.3.2.0", "2.3.3.0", "2.4.0.0", "2.4.1.0", "2.4.2.0", "2.4.3.0", "2.4.4.0", "2.4.5.0", "2.4.6.0", "2.5.0a1", "2.5.0b1", "2.5.0b2", "2.5.0rc1", "2.5.0rc2", "2.5.0rc3", "2.5.0", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.5.6", "2.5.7", "2.5.8", "2.5.9", "2.5.10", "2.5.11", "2.5.12", "2.5.13", "2.5.14", "2.5.15", "2.6.0a1", "2.6.0a2", "2.6.0rc1", "2.6.0rc2", "2.6.0rc3", "2.6.0rc4", "2.6.0rc5", "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.8", "2.6.9", "2.6.10", "2.6.11", "2.6.12", "2.6.13", "2.6.14", "2.6.15", "2.6.16", "2.6.17", "2.6.18", "2.6.19", "2.6.20", "2.7.0.dev0", "2.7.0a1", "2.7.0b1", "2.7.0rc1", "2.7.0rc2", "2.7.0rc3", "2.7.0rc4", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.10", "2.7.11", "2.7.12", "2.7.13", "2.7.14", "2.7.15", "2.7.16", "2.8.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.9.0", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5" ] } ], "aliases": [ "CVE-2020-1733", "GHSA-g4mq-6fp5-qwcf" ], "details": "A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 \u0026\u0026 mkdir -p \u003cdir\u003e\"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating \u0027/proc/\u003cpid\u003e/cmdline\u0027.", "id": "PYSEC-2020-5", "modified": "2020-06-13T04:15:00Z", "published": "2020-03-11T19:15:00Z", "references": [ { "type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733" }, { "type": "REPORT", "url": "https://github.com/ansible/ansible/issues/67791" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html" }, { "type": "ADVISORY", "url": "https://security.gentoo.org/glsa/202006-11" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-g4mq-6fp5-qwcf" } ] }
rhsa-2020_1541
Vulnerability from csaf_redhat
Published
2020-04-22 14:10
Modified
2024-11-05 22:06
Summary
Red Hat Security Advisory: Ansible security and bug fix update (2.9.7)
Notes
Topic
An update for ansible is now available for Ansible Engine 2.9
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Details
Ansible is a simple model-driven configuration management, multi-node
deployment, and remote-task execution system. Ansible works over SSH and
does not require any software or daemons to be installed on remote nodes.
Extension modules can be written in any language and are transferred to
managed machines automatically.
The following packages have been upgraded to a newer upstream version:
ansible (2.9.7)
Bug Fix(es):
* CVE-2020-10684 Ansible: code injection when using ansible_facts as a
subkey
* CVE-2020-10685 Ansible: modules which use files encrypted with vault are
not properly cleaned up
* CVE-2020-10691 Ansible: archive traversal vulnerability in ansible-galaxy
collection install
* CVE-2020-1733 ansible: insecure temporary directory when running
become_user from become directive
* CVE-2020-1735 ansible: path injection on dest parameter in fetch module
* CVE-2020-1737 ansible: Extract-Zip function in win_unzip module does not
check extracted path
* CVE-2020-1739 ansible: svn module leaks password when specified as a
parameter
* CVE-2020-1740 ansible: secrets readable after ansible-vault edit
* CVE-2020-1746 ansible: Information disclosure issue in ldap_attr and
ldap_entry modules
* CVE-2020-1753 Ansible: kubectl connection plugin leaks sensitive
information
See:
https://github.com/ansible/ansible/blob/v2.9.7/changelogs/CHANGELOG-v2.9.rst
for details on bug fixes in this release.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for ansible is now available for Ansible Engine 2.9\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Ansible is a simple model-driven configuration management, multi-node\ndeployment, and remote-task execution system. Ansible works over SSH and\ndoes not require any software or daemons to be installed on remote nodes.\nExtension modules can be written in any language and are transferred to\nmanaged machines automatically.\n\nThe following packages have been upgraded to a newer upstream version:\nansible (2.9.7)\n\nBug Fix(es):\n* CVE-2020-10684 Ansible: code injection when using ansible_facts as a\nsubkey\n* CVE-2020-10685 Ansible: modules which use files encrypted with vault are\nnot properly cleaned up\n* CVE-2020-10691 Ansible: archive traversal vulnerability in ansible-galaxy\ncollection install\n* CVE-2020-1733 ansible: insecure temporary directory when running\nbecome_user from become directive\n* CVE-2020-1735 ansible: path injection on dest parameter in fetch module\n* CVE-2020-1737 ansible: Extract-Zip function in win_unzip module does not\ncheck extracted path\n* CVE-2020-1739 ansible: svn module leaks password when specified as a\nparameter\n* CVE-2020-1740 ansible: secrets readable after ansible-vault edit\n* CVE-2020-1746 ansible: Information disclosure issue in ldap_attr and\nldap_entry modules\n* CVE-2020-1753 Ansible: kubectl connection plugin leaks sensitive\ninformation\n\nSee:\nhttps://github.com/ansible/ansible/blob/v2.9.7/changelogs/CHANGELOG-v2.9.rst\nfor details on bug fixes in this release.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2020:1541", "url": "https://access.redhat.com/errata/RHSA-2020:1541" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "1801735", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1801735" }, { "category": "external", "summary": "1802085", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802085" }, { "category": "external", "summary": "1802154", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802154" }, { "category": "external", "summary": "1802178", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802178" }, { "category": "external", "summary": "1802193", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802193" }, { "category": "external", "summary": "1805491", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805491" }, { "category": "external", "summary": "1811008", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1811008" }, { "category": "external", "summary": "1814627", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1814627" }, { "category": "external", "summary": "1815519", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815519" }, { "category": "external", "summary": "1817161", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1817161" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_1541.json" } ], "title": "Red Hat Security Advisory: Ansible security and bug fix update (2.9.7)", "tracking": { "current_release_date": "2024-11-05T22:06:49+00:00", "generator": { "date": "2024-11-05T22:06:49+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2020:1541", "initial_release_date": "2020-04-22T14:10:47+00:00", "revision_history": [ { "date": "2020-04-22T14:10:47+00:00", "number": "1", "summary": "Initial version" }, { "date": "2020-04-22T14:10:47+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-05T22:06:49+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Ansible Engine 2.9 for RHEL 7 Server", "product": { "name": "Red Hat Ansible Engine 2.9 for RHEL 7 Server", "product_id": "7Server-Ansible-2.9", "product_identification_helper": { "cpe": "cpe:/a:redhat:ansible_engine:2.9::el7" } } }, { "category": "product_name", "name": "Red Hat Ansible Engine 2.9 for RHEL 8", "product": { "name": "Red Hat Ansible Engine 2.9 for RHEL 8", "product_id": "8Base-Ansible-2.9", "product_identification_helper": { "cpe": "cpe:/a:redhat:ansible_engine:2.9::el8" } } } ], "category": "product_family", "name": "Red Hat Ansible Engine" }, { "branches": [ { "category": "product_version", "name": "ansible-0:2.9.7-1.el7ae.noarch", "product": { "name": "ansible-0:2.9.7-1.el7ae.noarch", "product_id": "ansible-0:2.9.7-1.el7ae.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible@2.9.7-1.el7ae?arch=noarch" } } }, { "category": "product_version", "name": "ansible-test-0:2.9.7-1.el7ae.noarch", "product": { "name": "ansible-test-0:2.9.7-1.el7ae.noarch", "product_id": "ansible-test-0:2.9.7-1.el7ae.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible-test@2.9.7-1.el7ae?arch=noarch" } } }, { "category": "product_version", "name": "ansible-0:2.9.7-1.el8ae.noarch", "product": { "name": "ansible-0:2.9.7-1.el8ae.noarch", "product_id": "ansible-0:2.9.7-1.el8ae.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible@2.9.7-1.el8ae?arch=noarch" } } }, { "category": "product_version", "name": "ansible-test-0:2.9.7-1.el8ae.noarch", "product": { "name": "ansible-test-0:2.9.7-1.el8ae.noarch", "product_id": "ansible-test-0:2.9.7-1.el8ae.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible-test@2.9.7-1.el8ae?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "ansible-0:2.9.7-1.el7ae.src", "product": { "name": "ansible-0:2.9.7-1.el7ae.src", "product_id": "ansible-0:2.9.7-1.el7ae.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible@2.9.7-1.el7ae?arch=src" } } }, { "category": "product_version", "name": "ansible-0:2.9.7-1.el8ae.src", "product": { "name": "ansible-0:2.9.7-1.el8ae.src", "product_id": "ansible-0:2.9.7-1.el8ae.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible@2.9.7-1.el8ae?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.9.7-1.el7ae.noarch as a component of Red Hat Ansible Engine 2.9 for RHEL 7 Server", "product_id": "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch" }, "product_reference": "ansible-0:2.9.7-1.el7ae.noarch", "relates_to_product_reference": "7Server-Ansible-2.9" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.9.7-1.el7ae.src as a component of Red Hat Ansible Engine 2.9 for RHEL 7 Server", "product_id": "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src" }, "product_reference": "ansible-0:2.9.7-1.el7ae.src", "relates_to_product_reference": "7Server-Ansible-2.9" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-test-0:2.9.7-1.el7ae.noarch as a component of Red Hat Ansible Engine 2.9 for RHEL 7 Server", "product_id": "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch" }, "product_reference": "ansible-test-0:2.9.7-1.el7ae.noarch", "relates_to_product_reference": "7Server-Ansible-2.9" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.9.7-1.el8ae.noarch as a component of Red Hat Ansible Engine 2.9 for RHEL 8", "product_id": "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch" }, "product_reference": "ansible-0:2.9.7-1.el8ae.noarch", "relates_to_product_reference": "8Base-Ansible-2.9" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.9.7-1.el8ae.src as a component of Red Hat Ansible Engine 2.9 for RHEL 8", "product_id": "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src" }, "product_reference": "ansible-0:2.9.7-1.el8ae.src", "relates_to_product_reference": "8Base-Ansible-2.9" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-test-0:2.9.7-1.el8ae.noarch as a component of Red Hat Ansible Engine 2.9 for RHEL 8", "product_id": "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" }, "product_reference": "ansible-test-0:2.9.7-1.el8ae.noarch", "relates_to_product_reference": "8Base-Ansible-2.9" } ] }, "vulnerabilities": [ { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1733", "cwe": { "id": "CWE-377", "name": "Insecure Temporary File" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1801735" } ], "notes": [ { "category": "description", "text": "A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 \u0026\u0026 mkdir -p \u003cdir\u003e\"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating \u0027/proc/\u003cpid\u003e/cmdline\u0027.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: insecure temporary directory when running become_user from become directive", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1733" }, { "category": "external", "summary": "RHBZ#1801735", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1801735" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1733", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1733" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1733", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1733" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:47+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1541" }, { "category": "workaround", "details": "This issue can be mitigated by mounting the proc filesystem with hidepid=2 option (https://www.kernel.org/doc/Documentation/filesystems/proc.txt). This way only the user used by Ansible will be able to perform the attack as users on the system will be able to access only their processes /proc/$PID/ directories.\n\nAlso note that mounting proc filesystem with hidepid=2 might require re-mounting it on unpatched kernels, due to a kernel bug (see https://unix.stackexchange.com/questions/584054/why-procfs-mount-option-only-working-on-remount), there will be hidepid=3 in the future (https://patchwork.kernel.org/patch/11310217/).", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1" }, "products": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "ansible: insecure temporary directory when running become_user from become directive" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1735", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1802085" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: path injection on dest parameter in fetch module", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1735" }, { "category": "external", "summary": "RHBZ#1802085", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802085" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1735", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1735" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1735", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1735" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:47+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1541" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue except avoid using the affected fetch module when possible.", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "ansible: path injection on dest parameter in fetch module" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1737", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2020-02-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1802154" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Ansible Engine when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: Extract-Zip function in win_unzip module does not check extracted path", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1737" }, { "category": "external", "summary": "RHBZ#1802154", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802154" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1737", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1737" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1737", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1737" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:47+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1541" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue except avoid using the affected win_unzip module when possible.", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "ansible: Extract-Zip function in win_unzip module does not check extracted path" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1739", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1802178" } ], "notes": [ { "category": "description", "text": "A flaw was found in Ansible Engine. When a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: svn module leaks password when specified as a parameter", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1739" }, { "category": "external", "summary": "RHBZ#1802178", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802178" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1739", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1739" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1739", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1739" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:47+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1541" }, { "category": "workaround", "details": "Instead of using the parameter \u0027password\u0027 of the subversion module, provide the password with stdin.", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "ansible: svn module leaks password when specified as a parameter" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1740", "cwe": { "id": "CWE-377", "name": "Insecure Temporary File" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1802193" } ], "notes": [ { "category": "description", "text": "A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes \"ansible-vault edit\", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: secrets readable after ansible-vault edit", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1740" }, { "category": "external", "summary": "RHBZ#1802193", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802193" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1740", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1740" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1740", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1740" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:47+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1541" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue except avoid using the \u0027edit\u0027 option from \u0027ansible-vault\u0027 command line tool.", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "ansible: secrets readable after ansible-vault edit" }, { "acknowledgments": [ { "names": [ "Felix Fountein" ] } ], "cve": "CVE-2020-1746", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2019-12-16T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1805491" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Ansible Engine when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: Information disclosure issue in ldap_attr and ldap_entry modules", "title": "Vulnerability summary" }, { "category": "other", "text": "* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\n* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\n* Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains their own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu.\n\n* In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1746" }, { "category": "external", "summary": "RHBZ#1805491", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805491" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1746", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1746" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1746", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1746" } ], "release_date": "2020-02-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:47+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1541" }, { "category": "workaround", "details": "Using args keyword and embedding the ldap_auth variable instead of using bind_pw parameter would mitigate this issue.", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "ansible: Information disclosure issue in ldap_attr and ldap_entry modules" }, { "acknowledgments": [ { "names": [ "Abhijeet Kasurde" ], "organization": "Red Hat", "summary": "This issue was discovered by Red Hat." } ], "cve": "CVE-2020-1753", "cwe": { "id": "CWE-532", "name": "Insertion of Sensitive Information into Log File" }, "discovery_date": "2020-03-06T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1811008" } ], "notes": [ { "category": "description", "text": "A security flaw was found in the Ansible Engine when managing Kubernetes using the k8s connection plugin. Sensitive parameters such as passwords and tokens are passed to the kubectl command line instead of using environment variables or an input configuration file, which is safer. This flaw discloses passwords and tokens from the process list, and the no_log directive from the debug module would not be reflected in the underlying command-line tools options, displaying passwords and tokens on stdout and log files.", "title": "Vulnerability description" }, { "category": "summary", "text": "Ansible: kubectl connection plugin leaks sensitive information", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.17, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1753" }, { "category": "external", "summary": "RHBZ#1811008", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1811008" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1753", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1753" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1753", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1753" } ], "release_date": "2020-03-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:47+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1541" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue.", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Ansible: kubectl connection plugin leaks sensitive information" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-10684", "cwe": { "id": "CWE-862", "name": "Missing Authorization" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1815519" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Ansible Engine. When using ansible_facts as a subkey of itself, and promoting it to a variable when injecting is enabled, overwriting the ansible_facts after the clean, an attacker could take advantage of this by altering the ansible_facts leading to privilege escalation or code injection. The highest threat from this vulnerability are to data integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "Ansible: code injection when using ansible_facts as a subkey", "title": "Vulnerability summary" }, { "category": "other", "text": "* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n* Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains their own version of Ansible. The fix will be consumed from core Ansible. But we still ship ansible separately for ceph ubuntu.\n* Red Hat OpenStack Platform does package the affected code. However, because RHOSP does not use ansible_facts as a subkey directly, the RHOSP impact has been reduced to Moderate and no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-10684" }, { "category": "external", "summary": "RHBZ#1815519", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815519" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10684", "url": "https://www.cve.org/CVERecord?id=CVE-2020-10684" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10684", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10684" } ], "release_date": "2020-03-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:47+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1541" }, { "category": "workaround", "details": "Currently, there is not a known mitigation except avoiding the functionality of using ansible_facts as a subkey.", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", "version": "3.1" }, "products": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "Ansible: code injection when using ansible_facts as a subkey" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-10685", "cwe": { "id": "CWE-459", "name": "Incomplete Cleanup" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1814627" } ], "notes": [ { "category": "description", "text": "A flaw was found on Ansible Engine when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the secrets unencrypted.\r\n\r\nOn Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decrypted data remains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted is sensible.", "title": "Vulnerability description" }, { "category": "summary", "text": "Ansible: modules which use files encrypted with vault are not properly cleaned up", "title": "Vulnerability summary" }, { "category": "other", "text": "* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\n* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\n* In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-10685" }, { "category": "external", "summary": "RHBZ#1814627", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1814627" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10685", "url": "https://www.cve.org/CVERecord?id=CVE-2020-10685" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10685", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10685" } ], "release_date": "2020-03-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:47+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1541" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue except by removing manually the temporary created file after every run.", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Ansible: modules which use files encrypted with vault are not properly cleaned up" }, { "acknowledgments": [ { "names": [ "Felix Fountein" ] } ], "cve": "CVE-2020-10691", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2020-03-25T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1817161" } ], "notes": [ { "category": "description", "text": "An archive traversal flaw was found in Ansible Engine when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.", "title": "Vulnerability description" }, { "category": "summary", "text": "Ansible: archive traversal vulnerability in ansible-galaxy collection install", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.9.6 as well as previous 2.9.x versions are affected. Ansible versions less than or equal to 2.8 are not affected by this vulnerability as this functionality was introduced on 2.9.\n\nAnsible Tower 3.6.3 as well as previous 3.6.x versions are affected as they use ansible-galaxy collections.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-10691" }, { "category": "external", "summary": "RHBZ#1817161", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1817161" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10691", "url": "https://www.cve.org/CVERecord?id=CVE-2020-10691" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10691", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10691" } ], "release_date": "2020-03-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:47+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1541" }, { "category": "workaround", "details": "A possible mitigation of archive traversal issue could be done by restricting file access control and directory write accesses for extracting tarball files. This is feasible only for scenarios when the destination path could be known and enforced beforehand.", "product_ids": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "version": "3.1" }, "products": [ "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2.9:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2.9:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2.9:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2.9:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Ansible: archive traversal vulnerability in ansible-galaxy collection install" } ] }
rhsa-2020_1544
Vulnerability from csaf_redhat
Published
2020-04-22 14:11
Modified
2024-11-05 22:07
Summary
Red Hat Security Advisory: Ansible security and bug fix update (2.7.17)
Notes
Topic
An update for ansible is now available for Ansible Engine 2.7
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Details
Ansible is a simple model-driven configuration management, multi-node
deployment, and remote-task execution system. Ansible works over SSH and
does not require any software or daemons to be installed on remote nodes.
Extension modules can be written in any language and are transferred to
managed machines automatically.
The following packages have been upgraded to a newer upstream version:
ansible (2.7.17)
Bug Fix(es):
* CVE-2020-10684 Ansible: code injection when using ansible_facts as a
subkey
* CVE-2020-10685 Ansible: modules which use files encrypted with vault are
not properly cleaned up
* CVE-2020-1733 ansible: insecure temporary directory when running
become_user from become directive
* CVE-2020-1735 ansible: path injection on dest parameter in fetch module
* CVE-2020-1737 ansible: Extract-Zip function in win_unzip module does not
check extracted path
* CVE-2020-1739 ansible: svn module leaks password when specified as a
parameter
* CVE-2020-1740 ansible: secrets readable after ansible-vault edit
* CVE-2020-1746 ansible: Information disclosure issue in ldap_attr and
ldap_entry modules
See:
https://github.com/ansible/ansible/blob/v2.7.17/changelogs/CHANGELOG-v2.7.rst
for details on bug fixes in this release.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for ansible is now available for Ansible Engine 2.7\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Ansible is a simple model-driven configuration management, multi-node\ndeployment, and remote-task execution system. Ansible works over SSH and\ndoes not require any software or daemons to be installed on remote nodes.\nExtension modules can be written in any language and are transferred to\nmanaged machines automatically.\n\nThe following packages have been upgraded to a newer upstream version:\nansible (2.7.17)\n\nBug Fix(es):\n* CVE-2020-10684 Ansible: code injection when using ansible_facts as a\nsubkey\n* CVE-2020-10685 Ansible: modules which use files encrypted with vault are\nnot properly cleaned up\n* CVE-2020-1733 ansible: insecure temporary directory when running\nbecome_user from become directive\n* CVE-2020-1735 ansible: path injection on dest parameter in fetch module\n* CVE-2020-1737 ansible: Extract-Zip function in win_unzip module does not\ncheck extracted path\n* CVE-2020-1739 ansible: svn module leaks password when specified as a\nparameter\n* CVE-2020-1740 ansible: secrets readable after ansible-vault edit\n* CVE-2020-1746 ansible: Information disclosure issue in ldap_attr and\nldap_entry modules\n\nSee:\nhttps://github.com/ansible/ansible/blob/v2.7.17/changelogs/CHANGELOG-v2.7.rst\nfor details on bug fixes in this release.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2020:1544", "url": "https://access.redhat.com/errata/RHSA-2020:1544" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "1801735", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1801735" }, { "category": "external", "summary": "1802085", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802085" }, { "category": "external", "summary": "1802154", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802154" }, { "category": "external", "summary": "1802178", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802178" }, { "category": "external", "summary": "1802193", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802193" }, { "category": "external", "summary": "1805491", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805491" }, { "category": "external", "summary": "1814627", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1814627" }, { "category": "external", "summary": "1815519", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815519" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_1544.json" } ], "title": "Red Hat Security Advisory: Ansible security and bug fix update (2.7.17)", "tracking": { "current_release_date": "2024-11-05T22:07:21+00:00", "generator": { "date": "2024-11-05T22:07:21+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2020:1544", "initial_release_date": "2020-04-22T14:11:01+00:00", "revision_history": [ { "date": "2020-04-22T14:11:01+00:00", "number": "1", "summary": "Initial version" }, { "date": "2020-04-22T14:11:01+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-05T22:07:21+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Ansible Engine 2.7 for RHEL 7 Server", "product": { "name": "Red Hat Ansible Engine 2.7 for RHEL 7 Server", "product_id": "7Server-Ansible-2.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:ansible_engine:2.7::el7" } } } ], "category": "product_family", "name": "Red Hat Ansible Engine" }, { "branches": [ { "category": "product_version", "name": "ansible-0:2.7.17-1.el7ae.noarch", "product": { "name": "ansible-0:2.7.17-1.el7ae.noarch", "product_id": "ansible-0:2.7.17-1.el7ae.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible@2.7.17-1.el7ae?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "ansible-0:2.7.17-1.el7ae.src", "product": { "name": "ansible-0:2.7.17-1.el7ae.src", "product_id": "ansible-0:2.7.17-1.el7ae.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible@2.7.17-1.el7ae?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.7.17-1.el7ae.noarch as a component of Red Hat Ansible Engine 2.7 for RHEL 7 Server", "product_id": "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch" }, "product_reference": "ansible-0:2.7.17-1.el7ae.noarch", "relates_to_product_reference": "7Server-Ansible-2.7" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.7.17-1.el7ae.src as a component of Red Hat Ansible Engine 2.7 for RHEL 7 Server", "product_id": "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" }, "product_reference": "ansible-0:2.7.17-1.el7ae.src", "relates_to_product_reference": "7Server-Ansible-2.7" } ] }, "vulnerabilities": [ { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1733", "cwe": { "id": "CWE-377", "name": "Insecure Temporary File" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1801735" } ], "notes": [ { "category": "description", "text": "A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 \u0026\u0026 mkdir -p \u003cdir\u003e\"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating \u0027/proc/\u003cpid\u003e/cmdline\u0027.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: insecure temporary directory when running become_user from become directive", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1733" }, { "category": "external", "summary": "RHBZ#1801735", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1801735" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1733", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1733" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1733", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1733" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:11:01+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1544" }, { "category": "workaround", "details": "This issue can be mitigated by mounting the proc filesystem with hidepid=2 option (https://www.kernel.org/doc/Documentation/filesystems/proc.txt). This way only the user used by Ansible will be able to perform the attack as users on the system will be able to access only their processes /proc/$PID/ directories.\n\nAlso note that mounting proc filesystem with hidepid=2 might require re-mounting it on unpatched kernels, due to a kernel bug (see https://unix.stackexchange.com/questions/584054/why-procfs-mount-option-only-working-on-remount), there will be hidepid=3 in the future (https://patchwork.kernel.org/patch/11310217/).", "product_ids": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1" }, "products": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "ansible: insecure temporary directory when running become_user from become directive" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1735", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1802085" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: path injection on dest parameter in fetch module", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1735" }, { "category": "external", "summary": "RHBZ#1802085", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802085" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1735", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1735" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1735", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1735" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:11:01+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1544" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue except avoid using the affected fetch module when possible.", "product_ids": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "ansible: path injection on dest parameter in fetch module" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1737", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2020-02-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1802154" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Ansible Engine when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: Extract-Zip function in win_unzip module does not check extracted path", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1737" }, { "category": "external", "summary": "RHBZ#1802154", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802154" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1737", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1737" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1737", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1737" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:11:01+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1544" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue except avoid using the affected win_unzip module when possible.", "product_ids": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "ansible: Extract-Zip function in win_unzip module does not check extracted path" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1739", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1802178" } ], "notes": [ { "category": "description", "text": "A flaw was found in Ansible Engine. When a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: svn module leaks password when specified as a parameter", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1739" }, { "category": "external", "summary": "RHBZ#1802178", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802178" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1739", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1739" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1739", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1739" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:11:01+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1544" }, { "category": "workaround", "details": "Instead of using the parameter \u0027password\u0027 of the subversion module, provide the password with stdin.", "product_ids": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "ansible: svn module leaks password when specified as a parameter" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1740", "cwe": { "id": "CWE-377", "name": "Insecure Temporary File" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1802193" } ], "notes": [ { "category": "description", "text": "A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes \"ansible-vault edit\", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: secrets readable after ansible-vault edit", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1740" }, { "category": "external", "summary": "RHBZ#1802193", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802193" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1740", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1740" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1740", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1740" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:11:01+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1544" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue except avoid using the \u0027edit\u0027 option from \u0027ansible-vault\u0027 command line tool.", "product_ids": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "ansible: secrets readable after ansible-vault edit" }, { "acknowledgments": [ { "names": [ "Felix Fountein" ] } ], "cve": "CVE-2020-1746", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2019-12-16T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1805491" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Ansible Engine when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: Information disclosure issue in ldap_attr and ldap_entry modules", "title": "Vulnerability summary" }, { "category": "other", "text": "* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\n* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\n* Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains their own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu.\n\n* In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1746" }, { "category": "external", "summary": "RHBZ#1805491", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805491" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1746", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1746" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1746", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1746" } ], "release_date": "2020-02-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:11:01+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1544" }, { "category": "workaround", "details": "Using args keyword and embedding the ldap_auth variable instead of using bind_pw parameter would mitigate this issue.", "product_ids": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "ansible: Information disclosure issue in ldap_attr and ldap_entry modules" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-10684", "cwe": { "id": "CWE-862", "name": "Missing Authorization" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1815519" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Ansible Engine. When using ansible_facts as a subkey of itself, and promoting it to a variable when injecting is enabled, overwriting the ansible_facts after the clean, an attacker could take advantage of this by altering the ansible_facts leading to privilege escalation or code injection. The highest threat from this vulnerability are to data integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "Ansible: code injection when using ansible_facts as a subkey", "title": "Vulnerability summary" }, { "category": "other", "text": "* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n* Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains their own version of Ansible. The fix will be consumed from core Ansible. But we still ship ansible separately for ceph ubuntu.\n* Red Hat OpenStack Platform does package the affected code. However, because RHOSP does not use ansible_facts as a subkey directly, the RHOSP impact has been reduced to Moderate and no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-10684" }, { "category": "external", "summary": "RHBZ#1815519", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815519" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10684", "url": "https://www.cve.org/CVERecord?id=CVE-2020-10684" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10684", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10684" } ], "release_date": "2020-03-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:11:01+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1544" }, { "category": "workaround", "details": "Currently, there is not a known mitigation except avoiding the functionality of using ansible_facts as a subkey.", "product_ids": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", "version": "3.1" }, "products": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "Ansible: code injection when using ansible_facts as a subkey" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-10685", "cwe": { "id": "CWE-459", "name": "Incomplete Cleanup" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1814627" } ], "notes": [ { "category": "description", "text": "A flaw was found on Ansible Engine when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the secrets unencrypted.\r\n\r\nOn Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decrypted data remains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted is sensible.", "title": "Vulnerability description" }, { "category": "summary", "text": "Ansible: modules which use files encrypted with vault are not properly cleaned up", "title": "Vulnerability summary" }, { "category": "other", "text": "* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\n* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\n* In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-10685" }, { "category": "external", "summary": "RHBZ#1814627", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1814627" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10685", "url": "https://www.cve.org/CVERecord?id=CVE-2020-10685" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10685", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10685" } ], "release_date": "2020-03-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:11:01+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1544" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue except by removing manually the temporary created file after every run.", "product_ids": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.noarch", "7Server-Ansible-2.7:ansible-0:2.7.17-1.el7ae.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Ansible: modules which use files encrypted with vault are not properly cleaned up" } ] }
rhsa-2020_1542
Vulnerability from csaf_redhat
Published
2020-04-22 14:10
Modified
2024-11-05 22:06
Summary
Red Hat Security Advisory: Ansible security and bug fix update (2.9.7)
Notes
Topic
An update for ansible is now available for Ansible Engine 2
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Details
Ansible is a simple model-driven configuration management, multi-node
deployment, and remote-task execution system. Ansible works over SSH and
does not require any software or daemons to be installed on remote nodes.
Extension modules can be written in any language and are transferred to
managed machines automatically.
The following packages have been upgraded to a newer upstream version:
ansible (2.9.7)
Bug Fix(es):
* CVE-2020-10684 Ansible: code injection when using ansible_facts as a
subkey
* CVE-2020-10685 Ansible: modules which use files encrypted with vault are
not properly cleaned up
* CVE-2020-10691 Ansible: archive traversal vulnerability in ansible-galaxy
collection install
* CVE-2020-1733 ansible: insecure temporary directory when running
become_user from become directive
* CVE-2020-1735 ansible: path injection on dest parameter in fetch module
* CVE-2020-1737 ansible: Extract-Zip function in win_unzip module does not
check extracted path
* CVE-2020-1739 ansible: svn module leaks password when specified as a
parameter
* CVE-2020-1740 ansible: secrets readable after ansible-vault edit
* CVE-2020-1746 ansible: Information disclosure issue in ldap_attr and
ldap_entry modules
* CVE-2020-1753 Ansible: kubectl connection plugin leaks sensitive
information
See:
https://github.com/ansible/ansible/blob/v2.9.7/changelogs/CHANGELOG-v2.9.rst
for details on bug fixes in this release.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for ansible is now available for Ansible Engine 2\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Ansible is a simple model-driven configuration management, multi-node\ndeployment, and remote-task execution system. Ansible works over SSH and\ndoes not require any software or daemons to be installed on remote nodes.\nExtension modules can be written in any language and are transferred to\nmanaged machines automatically.\n\nThe following packages have been upgraded to a newer upstream version:\nansible (2.9.7)\n\nBug Fix(es):\n* CVE-2020-10684 Ansible: code injection when using ansible_facts as a\nsubkey\n* CVE-2020-10685 Ansible: modules which use files encrypted with vault are\nnot properly cleaned up\n* CVE-2020-10691 Ansible: archive traversal vulnerability in ansible-galaxy\ncollection install\n* CVE-2020-1733 ansible: insecure temporary directory when running\nbecome_user from become directive\n* CVE-2020-1735 ansible: path injection on dest parameter in fetch module\n* CVE-2020-1737 ansible: Extract-Zip function in win_unzip module does not\ncheck extracted path\n* CVE-2020-1739 ansible: svn module leaks password when specified as a\nparameter\n* CVE-2020-1740 ansible: secrets readable after ansible-vault edit\n* CVE-2020-1746 ansible: Information disclosure issue in ldap_attr and\nldap_entry modules\n* CVE-2020-1753 Ansible: kubectl connection plugin leaks sensitive\ninformation\n\nSee:\nhttps://github.com/ansible/ansible/blob/v2.9.7/changelogs/CHANGELOG-v2.9.rst\nfor details on bug fixes in this release.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2020:1542", "url": "https://access.redhat.com/errata/RHSA-2020:1542" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "1801735", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1801735" }, { "category": "external", "summary": "1802085", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802085" }, { "category": "external", "summary": "1802154", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802154" }, { "category": "external", "summary": "1802178", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802178" }, { "category": "external", "summary": "1802193", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802193" }, { "category": "external", "summary": "1805491", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805491" }, { "category": "external", "summary": "1811008", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1811008" }, { "category": "external", "summary": "1814627", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1814627" }, { "category": "external", "summary": "1815519", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815519" }, { "category": "external", "summary": "1817161", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1817161" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_1542.json" } ], "title": "Red Hat Security Advisory: Ansible security and bug fix update (2.9.7)", "tracking": { "current_release_date": "2024-11-05T22:06:56+00:00", "generator": { "date": "2024-11-05T22:06:56+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2020:1542", "initial_release_date": "2020-04-22T14:10:54+00:00", "revision_history": [ { "date": "2020-04-22T14:10:54+00:00", "number": "1", "summary": "Initial version" }, { "date": "2020-04-22T14:10:54+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-05T22:06:56+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Ansible Engine 2 for RHEL 7", "product": { "name": "Red Hat Ansible Engine 2 for RHEL 7", "product_id": "7Server-Ansible-2", "product_identification_helper": { "cpe": "cpe:/a:redhat:ansible_engine:2::el7" } } }, { "category": "product_name", "name": "Red Hat Ansible Engine 2 for RHEL 8", "product": { "name": "Red Hat Ansible Engine 2 for RHEL 8", "product_id": "8Base-Ansible-2", "product_identification_helper": { "cpe": "cpe:/a:redhat:ansible_engine:2::el8" } } } ], "category": "product_family", "name": "Red Hat Ansible Engine" }, { "branches": [ { "category": "product_version", "name": "ansible-0:2.9.7-1.el7ae.noarch", "product": { "name": "ansible-0:2.9.7-1.el7ae.noarch", "product_id": "ansible-0:2.9.7-1.el7ae.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible@2.9.7-1.el7ae?arch=noarch" } } }, { "category": "product_version", "name": "ansible-test-0:2.9.7-1.el7ae.noarch", "product": { "name": "ansible-test-0:2.9.7-1.el7ae.noarch", "product_id": "ansible-test-0:2.9.7-1.el7ae.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible-test@2.9.7-1.el7ae?arch=noarch" } } }, { "category": "product_version", "name": "ansible-0:2.9.7-1.el8ae.noarch", "product": { "name": "ansible-0:2.9.7-1.el8ae.noarch", "product_id": "ansible-0:2.9.7-1.el8ae.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible@2.9.7-1.el8ae?arch=noarch" } } }, { "category": "product_version", "name": "ansible-test-0:2.9.7-1.el8ae.noarch", "product": { "name": "ansible-test-0:2.9.7-1.el8ae.noarch", "product_id": "ansible-test-0:2.9.7-1.el8ae.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible-test@2.9.7-1.el8ae?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "ansible-0:2.9.7-1.el7ae.src", "product": { "name": "ansible-0:2.9.7-1.el7ae.src", "product_id": "ansible-0:2.9.7-1.el7ae.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible@2.9.7-1.el7ae?arch=src" } } }, { "category": "product_version", "name": "ansible-0:2.9.7-1.el8ae.src", "product": { "name": "ansible-0:2.9.7-1.el8ae.src", "product_id": "ansible-0:2.9.7-1.el8ae.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible@2.9.7-1.el8ae?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.9.7-1.el7ae.noarch as a component of Red Hat Ansible Engine 2 for RHEL 7", "product_id": "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch" }, "product_reference": "ansible-0:2.9.7-1.el7ae.noarch", "relates_to_product_reference": "7Server-Ansible-2" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.9.7-1.el7ae.src as a component of Red Hat Ansible Engine 2 for RHEL 7", "product_id": "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src" }, "product_reference": "ansible-0:2.9.7-1.el7ae.src", "relates_to_product_reference": "7Server-Ansible-2" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-test-0:2.9.7-1.el7ae.noarch as a component of Red Hat Ansible Engine 2 for RHEL 7", "product_id": "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch" }, "product_reference": "ansible-test-0:2.9.7-1.el7ae.noarch", "relates_to_product_reference": "7Server-Ansible-2" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.9.7-1.el8ae.noarch as a component of Red Hat Ansible Engine 2 for RHEL 8", "product_id": "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch" }, "product_reference": "ansible-0:2.9.7-1.el8ae.noarch", "relates_to_product_reference": "8Base-Ansible-2" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.9.7-1.el8ae.src as a component of Red Hat Ansible Engine 2 for RHEL 8", "product_id": "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src" }, "product_reference": "ansible-0:2.9.7-1.el8ae.src", "relates_to_product_reference": "8Base-Ansible-2" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-test-0:2.9.7-1.el8ae.noarch as a component of Red Hat Ansible Engine 2 for RHEL 8", "product_id": "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" }, "product_reference": "ansible-test-0:2.9.7-1.el8ae.noarch", "relates_to_product_reference": "8Base-Ansible-2" } ] }, "vulnerabilities": [ { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1733", "cwe": { "id": "CWE-377", "name": "Insecure Temporary File" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1801735" } ], "notes": [ { "category": "description", "text": "A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 \u0026\u0026 mkdir -p \u003cdir\u003e\"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating \u0027/proc/\u003cpid\u003e/cmdline\u0027.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: insecure temporary directory when running become_user from become directive", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1733" }, { "category": "external", "summary": "RHBZ#1801735", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1801735" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1733", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1733" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1733", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1733" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:54+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1542" }, { "category": "workaround", "details": "This issue can be mitigated by mounting the proc filesystem with hidepid=2 option (https://www.kernel.org/doc/Documentation/filesystems/proc.txt). This way only the user used by Ansible will be able to perform the attack as users on the system will be able to access only their processes /proc/$PID/ directories.\n\nAlso note that mounting proc filesystem with hidepid=2 might require re-mounting it on unpatched kernels, due to a kernel bug (see https://unix.stackexchange.com/questions/584054/why-procfs-mount-option-only-working-on-remount), there will be hidepid=3 in the future (https://patchwork.kernel.org/patch/11310217/).", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1" }, "products": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "ansible: insecure temporary directory when running become_user from become directive" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1735", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1802085" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: path injection on dest parameter in fetch module", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1735" }, { "category": "external", "summary": "RHBZ#1802085", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802085" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1735", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1735" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1735", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1735" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:54+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1542" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue except avoid using the affected fetch module when possible.", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "ansible: path injection on dest parameter in fetch module" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1737", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2020-02-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1802154" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Ansible Engine when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: Extract-Zip function in win_unzip module does not check extracted path", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1737" }, { "category": "external", "summary": "RHBZ#1802154", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802154" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1737", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1737" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1737", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1737" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:54+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1542" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue except avoid using the affected win_unzip module when possible.", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "ansible: Extract-Zip function in win_unzip module does not check extracted path" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1739", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1802178" } ], "notes": [ { "category": "description", "text": "A flaw was found in Ansible Engine. When a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: svn module leaks password when specified as a parameter", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1739" }, { "category": "external", "summary": "RHBZ#1802178", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802178" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1739", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1739" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1739", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1739" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:54+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1542" }, { "category": "workaround", "details": "Instead of using the parameter \u0027password\u0027 of the subversion module, provide the password with stdin.", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "ansible: svn module leaks password when specified as a parameter" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1740", "cwe": { "id": "CWE-377", "name": "Insecure Temporary File" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1802193" } ], "notes": [ { "category": "description", "text": "A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes \"ansible-vault edit\", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: secrets readable after ansible-vault edit", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1740" }, { "category": "external", "summary": "RHBZ#1802193", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802193" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1740", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1740" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1740", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1740" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:54+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1542" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue except avoid using the \u0027edit\u0027 option from \u0027ansible-vault\u0027 command line tool.", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "ansible: secrets readable after ansible-vault edit" }, { "acknowledgments": [ { "names": [ "Felix Fountein" ] } ], "cve": "CVE-2020-1746", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2019-12-16T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1805491" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Ansible Engine when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: Information disclosure issue in ldap_attr and ldap_entry modules", "title": "Vulnerability summary" }, { "category": "other", "text": "* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\n* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\n* Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains their own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu.\n\n* In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1746" }, { "category": "external", "summary": "RHBZ#1805491", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805491" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1746", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1746" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1746", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1746" } ], "release_date": "2020-02-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:54+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1542" }, { "category": "workaround", "details": "Using args keyword and embedding the ldap_auth variable instead of using bind_pw parameter would mitigate this issue.", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "ansible: Information disclosure issue in ldap_attr and ldap_entry modules" }, { "acknowledgments": [ { "names": [ "Abhijeet Kasurde" ], "organization": "Red Hat", "summary": "This issue was discovered by Red Hat." } ], "cve": "CVE-2020-1753", "cwe": { "id": "CWE-532", "name": "Insertion of Sensitive Information into Log File" }, "discovery_date": "2020-03-06T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1811008" } ], "notes": [ { "category": "description", "text": "A security flaw was found in the Ansible Engine when managing Kubernetes using the k8s connection plugin. Sensitive parameters such as passwords and tokens are passed to the kubectl command line instead of using environment variables or an input configuration file, which is safer. This flaw discloses passwords and tokens from the process list, and the no_log directive from the debug module would not be reflected in the underlying command-line tools options, displaying passwords and tokens on stdout and log files.", "title": "Vulnerability description" }, { "category": "summary", "text": "Ansible: kubectl connection plugin leaks sensitive information", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.17, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1753" }, { "category": "external", "summary": "RHBZ#1811008", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1811008" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1753", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1753" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1753", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1753" } ], "release_date": "2020-03-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:54+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1542" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue.", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Ansible: kubectl connection plugin leaks sensitive information" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-10684", "cwe": { "id": "CWE-862", "name": "Missing Authorization" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1815519" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Ansible Engine. When using ansible_facts as a subkey of itself, and promoting it to a variable when injecting is enabled, overwriting the ansible_facts after the clean, an attacker could take advantage of this by altering the ansible_facts leading to privilege escalation or code injection. The highest threat from this vulnerability are to data integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "Ansible: code injection when using ansible_facts as a subkey", "title": "Vulnerability summary" }, { "category": "other", "text": "* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n* Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains their own version of Ansible. The fix will be consumed from core Ansible. But we still ship ansible separately for ceph ubuntu.\n* Red Hat OpenStack Platform does package the affected code. However, because RHOSP does not use ansible_facts as a subkey directly, the RHOSP impact has been reduced to Moderate and no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-10684" }, { "category": "external", "summary": "RHBZ#1815519", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815519" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10684", "url": "https://www.cve.org/CVERecord?id=CVE-2020-10684" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10684", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10684" } ], "release_date": "2020-03-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:54+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1542" }, { "category": "workaround", "details": "Currently, there is not a known mitigation except avoiding the functionality of using ansible_facts as a subkey.", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", "version": "3.1" }, "products": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "Ansible: code injection when using ansible_facts as a subkey" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-10685", "cwe": { "id": "CWE-459", "name": "Incomplete Cleanup" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1814627" } ], "notes": [ { "category": "description", "text": "A flaw was found on Ansible Engine when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the secrets unencrypted.\r\n\r\nOn Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decrypted data remains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted is sensible.", "title": "Vulnerability description" }, { "category": "summary", "text": "Ansible: modules which use files encrypted with vault are not properly cleaned up", "title": "Vulnerability summary" }, { "category": "other", "text": "* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\n* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\n* In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-10685" }, { "category": "external", "summary": "RHBZ#1814627", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1814627" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10685", "url": "https://www.cve.org/CVERecord?id=CVE-2020-10685" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10685", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10685" } ], "release_date": "2020-03-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:54+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1542" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue except by removing manually the temporary created file after every run.", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Ansible: modules which use files encrypted with vault are not properly cleaned up" }, { "acknowledgments": [ { "names": [ "Felix Fountein" ] } ], "cve": "CVE-2020-10691", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2020-03-25T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1817161" } ], "notes": [ { "category": "description", "text": "An archive traversal flaw was found in Ansible Engine when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.", "title": "Vulnerability description" }, { "category": "summary", "text": "Ansible: archive traversal vulnerability in ansible-galaxy collection install", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.9.6 as well as previous 2.9.x versions are affected. Ansible versions less than or equal to 2.8 are not affected by this vulnerability as this functionality was introduced on 2.9.\n\nAnsible Tower 3.6.3 as well as previous 3.6.x versions are affected as they use ansible-galaxy collections.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-10691" }, { "category": "external", "summary": "RHBZ#1817161", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1817161" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10691", "url": "https://www.cve.org/CVERecord?id=CVE-2020-10691" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10691", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10691" } ], "release_date": "2020-03-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:10:54+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1542" }, { "category": "workaround", "details": "A possible mitigation of archive traversal issue could be done by restricting file access control and directory write accesses for extracting tarball files. This is feasible only for scenarios when the destination path could be known and enforced beforehand.", "product_ids": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "version": "3.1" }, "products": [ "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.noarch", "7Server-Ansible-2:ansible-0:2.9.7-1.el7ae.src", "7Server-Ansible-2:ansible-test-0:2.9.7-1.el7ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.noarch", "8Base-Ansible-2:ansible-0:2.9.7-1.el8ae.src", "8Base-Ansible-2:ansible-test-0:2.9.7-1.el8ae.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Ansible: archive traversal vulnerability in ansible-galaxy collection install" } ] }
rhsa-2020_1543
Vulnerability from csaf_redhat
Published
2020-04-22 14:11
Modified
2024-11-05 22:07
Summary
Red Hat Security Advisory: Ansible security and bug fix update (2.8.11)
Notes
Topic
An update for ansible is now available for Ansible Engine 2.8
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Details
Ansible is a simple model-driven configuration management, multi-node
deployment, and remote-task execution system. Ansible works over SSH and
does not require any software or daemons to be installed on remote nodes.
Extension modules can be written in any language and are transferred to
managed machines automatically.
The following packages have been upgraded to a newer upstream version:
ansible (2.8.11)
Bug Fix(es):
* CVE-2020-10684 Ansible: code injection when using ansible_facts as a
subkey
* CVE-2020-10685 Ansible: modules which use files encrypted with vault are
not properly cleaned up
* CVE-2020-1733 ansible: insecure temporary directory when running
become_user from become directive
* CVE-2020-1735 ansible: path injection on dest parameter in fetch module
* CVE-2020-1737 ansible: Extract-Zip function in win_unzip module does not
check extracted path
* CVE-2020-1739 ansible: svn module leaks password when specified as a
parameter
* CVE-2020-1740 ansible: secrets readable after ansible-vault edit
* CVE-2020-1746 ansible: Information disclosure issue in ldap_attr and
ldap_entry modules
See:
https://github.com/ansible/ansible/blob/v2.8.11/changelogs/CHANGELOG-v2.8.rst
for details on bug fixes in this release.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for ansible is now available for Ansible Engine 2.8\n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Ansible is a simple model-driven configuration management, multi-node\ndeployment, and remote-task execution system. Ansible works over SSH and\ndoes not require any software or daemons to be installed on remote nodes.\nExtension modules can be written in any language and are transferred to\nmanaged machines automatically.\n\nThe following packages have been upgraded to a newer upstream version:\nansible (2.8.11)\n\nBug Fix(es):\n* CVE-2020-10684 Ansible: code injection when using ansible_facts as a\nsubkey\n* CVE-2020-10685 Ansible: modules which use files encrypted with vault are\nnot properly cleaned up\n* CVE-2020-1733 ansible: insecure temporary directory when running\nbecome_user from become directive\n* CVE-2020-1735 ansible: path injection on dest parameter in fetch module\n* CVE-2020-1737 ansible: Extract-Zip function in win_unzip module does not\ncheck extracted path\n* CVE-2020-1739 ansible: svn module leaks password when specified as a\nparameter\n* CVE-2020-1740 ansible: secrets readable after ansible-vault edit\n* CVE-2020-1746 ansible: Information disclosure issue in ldap_attr and\nldap_entry modules\n\nSee:\nhttps://github.com/ansible/ansible/blob/v2.8.11/changelogs/CHANGELOG-v2.8.rst\nfor details on bug fixes in this release.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2020:1543", "url": "https://access.redhat.com/errata/RHSA-2020:1543" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "1801735", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1801735" }, { "category": "external", "summary": "1802085", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802085" }, { "category": "external", "summary": "1802154", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802154" }, { "category": "external", "summary": "1802178", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802178" }, { "category": "external", "summary": "1802193", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802193" }, { "category": "external", "summary": "1805491", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805491" }, { "category": "external", "summary": "1814627", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1814627" }, { "category": "external", "summary": "1815519", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815519" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_1543.json" } ], "title": "Red Hat Security Advisory: Ansible security and bug fix update (2.8.11)", "tracking": { "current_release_date": "2024-11-05T22:07:04+00:00", "generator": { "date": "2024-11-05T22:07:04+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2020:1543", "initial_release_date": "2020-04-22T14:11:07+00:00", "revision_history": [ { "date": "2020-04-22T14:11:07+00:00", "number": "1", "summary": "Initial version" }, { "date": "2020-04-22T14:11:07+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-05T22:07:04+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Ansible Engine 2.8 for RHEL 7 Server", "product": { "name": "Red Hat Ansible Engine 2.8 for RHEL 7 Server", "product_id": "7Server-Ansible-2.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:ansible_engine:2.8::el7" } } }, { "category": "product_name", "name": "Red Hat Ansible Engine 2.8 for RHEL 8", "product": { "name": "Red Hat Ansible Engine 2.8 for RHEL 8", "product_id": "8Base-Ansible-2.8", "product_identification_helper": { "cpe": "cpe:/a:redhat:ansible_engine:2.8::el8" } } } ], "category": "product_family", "name": "Red Hat Ansible Engine" }, { "branches": [ { "category": "product_version", "name": "ansible-0:2.8.11-1.el7ae.noarch", "product": { "name": "ansible-0:2.8.11-1.el7ae.noarch", "product_id": "ansible-0:2.8.11-1.el7ae.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible@2.8.11-1.el7ae?arch=noarch" } } }, { "category": "product_version", "name": "ansible-0:2.8.11-1.el8ae.noarch", "product": { "name": "ansible-0:2.8.11-1.el8ae.noarch", "product_id": "ansible-0:2.8.11-1.el8ae.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible@2.8.11-1.el8ae?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "ansible-0:2.8.11-1.el7ae.src", "product": { "name": "ansible-0:2.8.11-1.el7ae.src", "product_id": "ansible-0:2.8.11-1.el7ae.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible@2.8.11-1.el7ae?arch=src" } } }, { "category": "product_version", "name": "ansible-0:2.8.11-1.el8ae.src", "product": { "name": "ansible-0:2.8.11-1.el8ae.src", "product_id": "ansible-0:2.8.11-1.el8ae.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ansible@2.8.11-1.el8ae?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.8.11-1.el7ae.noarch as a component of Red Hat Ansible Engine 2.8 for RHEL 7 Server", "product_id": "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch" }, "product_reference": "ansible-0:2.8.11-1.el7ae.noarch", "relates_to_product_reference": "7Server-Ansible-2.8" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.8.11-1.el7ae.src as a component of Red Hat Ansible Engine 2.8 for RHEL 7 Server", "product_id": "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src" }, "product_reference": "ansible-0:2.8.11-1.el7ae.src", "relates_to_product_reference": "7Server-Ansible-2.8" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.8.11-1.el8ae.noarch as a component of Red Hat Ansible Engine 2.8 for RHEL 8", "product_id": "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch" }, "product_reference": "ansible-0:2.8.11-1.el8ae.noarch", "relates_to_product_reference": "8Base-Ansible-2.8" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.8.11-1.el8ae.src as a component of Red Hat Ansible Engine 2.8 for RHEL 8", "product_id": "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" }, "product_reference": "ansible-0:2.8.11-1.el8ae.src", "relates_to_product_reference": "8Base-Ansible-2.8" } ] }, "vulnerabilities": [ { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1733", "cwe": { "id": "CWE-377", "name": "Insecure Temporary File" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1801735" } ], "notes": [ { "category": "description", "text": "A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 \u0026\u0026 mkdir -p \u003cdir\u003e\"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating \u0027/proc/\u003cpid\u003e/cmdline\u0027.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: insecure temporary directory when running become_user from become directive", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1733" }, { "category": "external", "summary": "RHBZ#1801735", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1801735" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1733", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1733" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1733", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1733" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:11:07+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1543" }, { "category": "workaround", "details": "This issue can be mitigated by mounting the proc filesystem with hidepid=2 option (https://www.kernel.org/doc/Documentation/filesystems/proc.txt). This way only the user used by Ansible will be able to perform the attack as users on the system will be able to access only their processes /proc/$PID/ directories.\n\nAlso note that mounting proc filesystem with hidepid=2 might require re-mounting it on unpatched kernels, due to a kernel bug (see https://unix.stackexchange.com/questions/584054/why-procfs-mount-option-only-working-on-remount), there will be hidepid=3 in the future (https://patchwork.kernel.org/patch/11310217/).", "product_ids": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1" }, "products": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "ansible: insecure temporary directory when running become_user from become directive" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1735", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1802085" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: path injection on dest parameter in fetch module", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1735" }, { "category": "external", "summary": "RHBZ#1802085", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802085" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1735", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1735" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1735", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1735" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:11:07+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1543" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue except avoid using the affected fetch module when possible.", "product_ids": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "ansible: path injection on dest parameter in fetch module" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1737", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2020-02-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1802154" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Ansible Engine when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: Extract-Zip function in win_unzip module does not check extracted path", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1737" }, { "category": "external", "summary": "RHBZ#1802154", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802154" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1737", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1737" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1737", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1737" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:11:07+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1543" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue except avoid using the affected win_unzip module when possible.", "product_ids": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "ansible: Extract-Zip function in win_unzip module does not check extracted path" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1739", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1802178" } ], "notes": [ { "category": "description", "text": "A flaw was found in Ansible Engine. When a password is set with the argument \"password\" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: svn module leaks password when specified as a parameter", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1739" }, { "category": "external", "summary": "RHBZ#1802178", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802178" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1739", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1739" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1739", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1739" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:11:07+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1543" }, { "category": "workaround", "details": "Instead of using the parameter \u0027password\u0027 of the subversion module, provide the password with stdin.", "product_ids": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "ansible: svn module leaks password when specified as a parameter" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-1740", "cwe": { "id": "CWE-377", "name": "Insecure Temporary File" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1802193" } ], "notes": [ { "category": "description", "text": "A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes \"ansible-vault edit\", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: secrets readable after ansible-vault edit", "title": "Vulnerability summary" }, { "category": "other", "text": "Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\nAnsible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\nIn Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1740" }, { "category": "external", "summary": "RHBZ#1802193", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1802193" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1740", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1740" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1740", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1740" } ], "release_date": "2020-02-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:11:07+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1543" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue except avoid using the \u0027edit\u0027 option from \u0027ansible-vault\u0027 command line tool.", "product_ids": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "ansible: secrets readable after ansible-vault edit" }, { "acknowledgments": [ { "names": [ "Felix Fountein" ] } ], "cve": "CVE-2020-1746", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2019-12-16T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1805491" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Ansible Engine when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.", "title": "Vulnerability description" }, { "category": "summary", "text": "ansible: Information disclosure issue in ldap_attr and ldap_entry modules", "title": "Vulnerability summary" }, { "category": "other", "text": "* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\n* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\n* Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains their own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu.\n\n* In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-1746" }, { "category": "external", "summary": "RHBZ#1805491", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1805491" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1746", "url": "https://www.cve.org/CVERecord?id=CVE-2020-1746" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1746", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1746" } ], "release_date": "2020-02-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:11:07+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1543" }, { "category": "workaround", "details": "Using args keyword and embedding the ldap_auth variable instead of using bind_pw parameter would mitigate this issue.", "product_ids": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "ansible: Information disclosure issue in ldap_attr and ldap_entry modules" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-10684", "cwe": { "id": "CWE-862", "name": "Missing Authorization" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1815519" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Ansible Engine. When using ansible_facts as a subkey of itself, and promoting it to a variable when injecting is enabled, overwriting the ansible_facts after the clean, an attacker could take advantage of this by altering the ansible_facts leading to privilege escalation or code injection. The highest threat from this vulnerability are to data integrity and system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "Ansible: code injection when using ansible_facts as a subkey", "title": "Vulnerability summary" }, { "category": "other", "text": "* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n* Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains their own version of Ansible. The fix will be consumed from core Ansible. But we still ship ansible separately for ceph ubuntu.\n* Red Hat OpenStack Platform does package the affected code. However, because RHOSP does not use ansible_facts as a subkey directly, the RHOSP impact has been reduced to Moderate and no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-10684" }, { "category": "external", "summary": "RHBZ#1815519", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815519" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10684", "url": "https://www.cve.org/CVERecord?id=CVE-2020-10684" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10684", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10684" } ], "release_date": "2020-03-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:11:07+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1543" }, { "category": "workaround", "details": "Currently, there is not a known mitigation except avoiding the functionality of using ansible_facts as a subkey.", "product_ids": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", "version": "3.1" }, "products": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "Ansible: code injection when using ansible_facts as a subkey" }, { "acknowledgments": [ { "names": [ "Damien Aumaitre", "Nicolas Surbayrole" ], "organization": "Quarkslab" } ], "cve": "CVE-2020-10685", "cwe": { "id": "CWE-459", "name": "Incomplete Cleanup" }, "discovery_date": "2020-01-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1814627" } ], "notes": [ { "category": "description", "text": "A flaw was found on Ansible Engine when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the secrets unencrypted.\r\n\r\nOn Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decrypted data remains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted is sensible.", "title": "Vulnerability description" }, { "category": "summary", "text": "Ansible: modules which use files encrypted with vault are not properly cleaned up", "title": "Vulnerability summary" }, { "category": "other", "text": "* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n\n* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n\n* In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-10685" }, { "category": "external", "summary": "RHBZ#1814627", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1814627" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10685", "url": "https://www.cve.org/CVERecord?id=CVE-2020-10685" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10685", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10685" } ], "release_date": "2020-03-18T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2020-04-22T14:11:07+00:00", "details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2020:1543" }, { "category": "workaround", "details": "Currently, there is no mitigation for this issue except by removing manually the temporary created file after every run.", "product_ids": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.noarch", "7Server-Ansible-2.8:ansible-0:2.8.11-1.el7ae.src", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.noarch", "8Base-Ansible-2.8:ansible-0:2.8.11-1.el8ae.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Ansible: modules which use files encrypted with vault are not properly cleaned up" } ] }
ghsa-g4mq-6fp5-qwcf
Vulnerability from github
Published
2021-04-20 16:46
Modified
2024-09-06 17:42
Severity ?
5.0 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
1.0 (Low) - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
1.0 (Low) - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
Summary
Ansible vulnerable to Exposure of Resource to Wrong Sphere and Insecure Temporary File
Details
A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "ansible" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.7.17" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "PyPI", "name": "ansible" }, "ranges": [ { "events": [ { "introduced": "2.8.0a1" }, { "fixed": "2.8.11" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "PyPI", "name": "ansible" }, "ranges": [ { "events": [ { "introduced": "2.9.0a1" }, { "fixed": "2.9.7" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2020-1733" ], "database_specific": { "cwe_ids": [ "CWE-362", "CWE-377", "CWE-668" ], "github_reviewed": true, "github_reviewed_at": "2021-04-05T18:50:43Z", "nvd_published_at": "2020-03-11T19:15:00Z", "severity": "MODERATE" }, "details": "A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 \u0026\u0026 mkdir -p \u003cdir\u003e\"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating \u0027/proc/\u003cpid\u003e/cmdline\u0027.", "id": "GHSA-g4mq-6fp5-qwcf", "modified": "2024-09-06T17:42:34Z", "published": "2021-04-20T16:46:12Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1733" }, { "type": "WEB", "url": "https://github.com/ansible/ansible/issues/67791" }, { "type": "WEB", "url": "https://github.com/ansible/ansible/commit/80b9a0a25c5f75e84aefc8f2b293fb1933b154f2" }, { "type": "WEB", "url": "https://github.com/ansible/ansible/commit/8251d9f4c2bc82632ab992277fcd30ccbf87aa47" }, { "type": "WEB", "url": "https://github.com/ansible/ansible/commit/ecf99d5e1ff732a7777010facd6c98bb0994605e" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-g4mq-6fp5-qwcf" }, { "type": "PACKAGE", "url": "https://github.com/ansible/ansible" }, { "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-5.yaml" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202006-11" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4950" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "type": "CVSS_V3" }, { "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L", "type": "CVSS_V4" } ], "summary": "Ansible vulnerable to Exposure of Resource to Wrong Sphere and Insecure Temporary File" }
wid-sec-w-2023-2479
Vulnerability from csaf_certbund
Published
2020-03-11 23:00
Modified
2023-09-27 22:00
Summary
Ansible: Schwachstelle ermöglicht Unsicheres Erzeugen von temporären Dateien
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Ansible ist eine Software zur Automatisierung von Cloud Provisionierung,
zum Konfigurationsmanagement und zur Anwendungsbereitstellung.
Angriff
Ein lokaler Angreifer kann eine Schwachstelle in Ansible ausnutzen, um temporäre Dateien zu erzeugen.
Betroffene Betriebssysteme
- Linux
{ "document": { "aggregate_severity": { "text": "niedrig" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Ansible ist eine Software zur Automatisierung von Cloud Provisionierung,\r\nzum Konfigurationsmanagement und zur Anwendungsbereitstellung.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein lokaler Angreifer kann eine Schwachstelle in Ansible ausnutzen, um tempor\u00e4re Dateien zu erzeugen.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-2479 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2023-2479.json" }, { "category": "self", "summary": "WID-SEC-2023-2479 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2479" }, { "category": "external", "summary": "Amazon Linux Security Advisory ALASANSIBLE2-2023-008 vom 2023-09-27", "url": "https://alas.aws.amazon.com/AL2/ALASANSIBLE2-2023-008.html" }, { "category": "external", "summary": "NIST Database vom 2020-03-11", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1733" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:1542 vom 2020-04-22", "url": "https://access.redhat.com/errata/RHSA-2020:1542" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:1541 vom 2020-04-22", "url": "https://access.redhat.com/errata/RHSA-2020:1541" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:1543 vom 2020-04-22", "url": "https://access.redhat.com/errata/RHSA-2020:1543" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2020:1544 vom 2020-04-22", "url": "https://access.redhat.com/errata/RHSA-2020:1544" }, { "category": "external", "summary": "Debian Security Advisory DLA 2202 vom 2020-05-05", "url": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202005/msg00005.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2020:2911-1 vom 2020-10-13", "url": "http://lists.suse.com/pipermail/sle-security-updates/2020-October/007550.html" }, { "category": "external", "summary": "SUSE Security Update SUSE-SU-2020:3309-1 vom 2020-11-12", "url": "https://lists.suse.com/pipermail/sle-security-updates/2020-November/007763.html" }, { "category": "external", "summary": "Debian Security Advisory DSA-4950 vom 2021-08-07", "url": "https://www.debian.org/security/2021/dsa-4950" } ], "source_lang": "en-US", "title": "Ansible: Schwachstelle erm\u00f6glicht Unsicheres Erzeugen von tempor\u00e4ren Dateien", "tracking": { "current_release_date": "2023-09-27T22:00:00.000+00:00", "generator": { "date": "2024-02-15T17:45:42.747+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-2479", "initial_release_date": "2020-03-11T23:00:00.000+00:00", "revision_history": [ { "date": "2020-03-11T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2020-04-22T22:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2020-05-05T22:00:00.000+00:00", "number": "3", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2020-10-13T22:00:00.000+00:00", "number": "4", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2020-11-12T23:00:00.000+00:00", "number": "5", "summary": "Neue Updates von SUSE aufgenommen" }, { "date": "2021-08-08T22:00:00.000+00:00", "number": "6", "summary": "Neue Updates von Debian aufgenommen" }, { "date": "2023-09-27T22:00:00.000+00:00", "number": "7", "summary": "Neue Updates von Amazon aufgenommen" } ], "status": "final", "version": "7" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "Amazon Linux 2", "product": { "name": "Amazon Linux 2", "product_id": "398363", "product_identification_helper": { "cpe": "cpe:/o:amazon:linux_2:-" } } } ], "category": "vendor", "name": "Amazon" }, { "branches": [ { "category": "product_name", "name": "Debian Linux", "product": { "name": "Debian Linux", "product_id": "2951", "product_identification_helper": { "cpe": "cpe:/o:debian:debian_linux:-" } } } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "branches": [ { "category": "product_name", "name": "Open Source Ansible \u003c= 2.7.17", "product": { "name": "Open Source Ansible \u003c= 2.7.17", "product_id": "T016043", "product_identification_helper": { "cpe": "cpe:/a:open_source:ansible:2.7.17" } } }, { "category": "product_name", "name": "Open Source Ansible \u003c= 2.8.9", "product": { "name": "Open Source Ansible \u003c= 2.8.9", "product_id": "T016044", "product_identification_helper": { "cpe": "cpe:/a:open_source:ansible:2.8.9" } } }, { "category": "product_name", "name": "Open Source Ansible \u003c= 2.9.6", "product": { "name": "Open Source Ansible \u003c= 2.9.6", "product_id": "T016084", "product_identification_helper": { "cpe": "cpe:/a:open_source:ansible:2.9.6" } } } ], "category": "product_name", "name": "Ansible" } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "category": "product_name", "name": "SUSE Linux", "product": { "name": "SUSE Linux", "product_id": "T002207", "product_identification_helper": { "cpe": "cpe:/o:suse:suse_linux:-" } } } ], "category": "vendor", "name": "SUSE" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-1733", "notes": [ { "category": "description", "text": "Es existiert eine Schwachstelle in Ansible. Die Schwachstelle besteht darin, dass ein Modul wenn es \"become_user\" aufruft eine tempor\u00e4res Verzeichnis erzeugt. Besteht dieses Verzeichnis bereits, kann der Angreifer die Kontrolle \u00fcber die aufrufende Instanz erhalten. Ein lokaler Angreifer kann dies ausnutzen, um durch das unsichere Erzeugen von tempor\u00e4ren Dateien die Kontrolle \u00fcber das funktionsaufrufende Modul die Kontrolle zu erlangen. Zur erfolgreichen Ausnutzung dieser Schwachstelle muss der Angreifer den Benutzer dazu bringen die \"become_user\" Funktion aufzurufen." } ], "product_status": { "known_affected": [ "2951", "T002207", "67646", "398363" ], "last_affected": [ "T016044", "T016043", "T016084" ] }, "release_date": "2020-03-11T23:00:00Z", "title": "CVE-2020-1733" } ] }
gsd-2020-1733
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/<pid>/cmdline'.
Aliases
Aliases
{ "GSD": { "alias": "CVE-2020-1733", "description": "A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 \u0026\u0026 mkdir -p \u003cdir\u003e\"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating \u0027/proc/\u003cpid\u003e/cmdline\u0027.", "id": "GSD-2020-1733", "references": [ "https://www.suse.com/security/cve/CVE-2020-1733.html", "https://www.debian.org/security/2021/dsa-4950", "https://access.redhat.com/errata/RHSA-2020:1544", "https://access.redhat.com/errata/RHSA-2020:1543", "https://access.redhat.com/errata/RHSA-2020:1542", "https://access.redhat.com/errata/RHSA-2020:1541", "https://advisories.mageia.org/CVE-2020-1733.html", "https://ubuntu.com/security/CVE-2020-1733" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2020-1733" ], "details": "A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 \u0026\u0026 mkdir -p \u003cdir\u003e\"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating \u0027/proc/\u003cpid\u003e/cmdline\u0027.", "id": "GSD-2020-1733", "modified": "2023-12-13T01:21:58.446779Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-1733", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Ansible", "version": { "version_data": [ { "version_value": "2.7.17 and prior" }, { "version_value": "2.8.9 and prior" }, { "version_value": "2.9.6 and prior" } ] } } ] }, "vendor_name": "Red Hat" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 \u0026\u0026 mkdir -p \u003cdir\u003e\"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating \u0027/proc/\u003cpid\u003e/cmdline\u0027." } ] }, "impact": { "cvss": [ [ { "vectorString": "5/CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.0" } ] ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-377" } ] } ] }, "references": { "reference_data": [ { "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733" }, { "name": "https://github.com/ansible/ansible/issues/67791", "refsource": "MISC", "url": "https://github.com/ansible/ansible/issues/67791" }, { "name": "FEDORA-2020-1b6ce91e37", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/" }, { "name": "FEDORA-2020-3990f03ba3", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/" }, { "name": "FEDORA-2020-f80154b5b4", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/" }, { "name": "[debian-lts-announce] 20200505 [SECURITY] [DLA 2202-1] ansible security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html" }, { "name": "GLSA-202006-11", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202006-11" }, { "name": "DSA-4950", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4950" } ] } }, "gitlab.com": { "advisories": [ { "affected_range": "\u003c=2.7.16||\u003e=2.8.0,\u003c2.8.8||\u003e=2.9.0,\u003c=2.9.5", "affected_versions": "All versions up to 2.7.16, all versions starting from 2.8.0 before 2.8.8, all versions starting from 2.9.0 up to 2.9.5", "cvss_v2": "AV:L/AC:H/Au:N/C:P/I:P/A:P", "cvss_v3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "cwe_ids": [ "CWE-1035", "CWE-668", "CWE-937" ], "date": "2021-08-07", "description": "A race condition flaw was found in Ansible Engine when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in `/var/tmp`. This directory is created with `umask \u0026\u0026 mkdir -p \u003cdir\u003e`; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating `/proc/\u003cpid\u003e/cmdline`.", "fixed_versions": [ "2.7.17", "2.8.8", "2.9.6" ], "identifier": "CVE-2020-1733", "identifiers": [ "CVE-2020-1733" ], "not_impacted": "All versions after 2.7.16 before 2.8.0, all versions starting from 2.8.8 before 2.9.0, all versions after 2.9.5", "package_slug": "pypi/ansible", "pubdate": "2020-03-11", "solution": "Upgrade to versions 2.7.17, 2.8.8, 2.9.6 or above.", "title": "Exposure of Resource to Wrong Sphere", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2020-1733", "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733" ], "uuid": "32501cab-be64-452f-a297-fa90e9fb0eb0" } ] }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "2.7.16", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.8.8", "versionStartIncluding": "2.8.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "2.9.5", "versionStartIncluding": "2.9.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "3.3.4", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "3.4.5", "versionStartIncluding": "3.3.5", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "3.5.5", "versionStartIncluding": "3.5.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "3.6.3", "versionStartIncluding": "3.6.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-1733" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with \"umask 77 \u0026\u0026 mkdir -p \u003cdir\u003e\"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating \u0027/proc/\u003cpid\u003e/cmdline\u0027." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-362" } ] } ] }, "references": { "reference_data": [ { "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733", "refsource": "CONFIRM", "tags": [ "Issue Tracking", "Vendor Advisory" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733" }, { "name": "https://github.com/ansible/ansible/issues/67791", "refsource": "MISC", "tags": [ "Exploit", "Third Party Advisory" ], "url": "https://github.com/ansible/ansible/issues/67791" }, { "name": "FEDORA-2020-3990f03ba3", "refsource": "FEDORA", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/" }, { "name": "FEDORA-2020-1b6ce91e37", "refsource": "FEDORA", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/" }, { "name": "FEDORA-2020-f80154b5b4", "refsource": "FEDORA", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/" }, { "name": "[debian-lts-announce] 20200505 [SECURITY] [DLA 2202-1] ansible security update", "refsource": "MLIST", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html" }, { "name": "GLSA-202006-11", "refsource": "GENTOO", "tags": [ "Third Party Advisory" ], "url": "https://security.gentoo.org/glsa/202006-11" }, { "name": "DSA-4950", "refsource": "DEBIAN", "tags": [ "Third Party Advisory" ], "url": "https://www.debian.org/security/2021/dsa-4950" } ] } }, "impact": { "baseMetricV2": { "acInsufInfo": false, "cvssV2": { "accessComplexity": "HIGH", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.7, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 1.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "LOW", "userInteractionRequired": true }, "baseMetricV3": { "cvssV3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1" }, "exploitabilityScore": 0.8, "impactScore": 3.7 } }, "lastModifiedDate": "2022-04-25T17:37Z", "publishedDate": "2020-03-11T19:15Z" } } }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.