CVE-2020-10691

An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.
References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691 Issue Tracking Mitigation Vendor Advisory
https://github.com/ansible/ansible/pull/68596 Patch Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:redhat:ansible_tower:3.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-04-30 17:15

Updated : 2024-02-04 21:00


NVD link : CVE-2020-10691

Mitre link : CVE-2020-10691

CVE.ORG link : CVE-2020-10691


JSON object : View

Products Affected

redhat

  • ansible_engine
  • ansible_tower
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')