Vulnerability DatabaseCVE-2020-1735
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2020-1735
March 16, 2020
A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
Affected Packages
ansible (PYTHON):
Affected version(s) >=2.8.0a1 <2.8.12
Fix Suggestion:
Update to version 2.8.12
ansible (PYTHON):
Affected version(s) >=2.9.0b1 <2.9.8
Fix Suggestion:
Update to version 2.9.8
ansible (PYTHON):
Affected version(s) >=2.7.0a1 <2.7.18
Fix Suggestion:
Update to version 2.7.18
Related Resources (21)
https://github.com/ansible/ansible/issues/67793
https://github.com/advisories/GHSA-gfr2-qpxh-qj9m
https://nvd.nist.gov/vuln/detail/CVE-2020-1735
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
https://github.com/ansible/ansible/pull/69023
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735
https://github.com/ansible/ansible/commit/40969ff43812fabf5397f818d9e521f9b39c9c9a
https://www.debian.org/security/2021/dsa-4950
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
https://security.gentoo.org/glsa/202006-11
https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes-7
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB
https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-7.yaml
https://github.com/ansible/ansible/pull/69025
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S
https://github.com/ansible/ansible
https://github.com/ansible/ansible/pull/69024
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW
https://github.com/ansible/ansible/commit/de9a4f5474c5f5db442ae7493d6b5da7177e335d
https://github.com/ansible/ansible/commit/18f91bbb88a84b1d3614ef41c3550da735592ac1
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.4
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.2
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
CVSS v2
Base Score:
3.6
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
Weakness Type (CWE)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22
EPSS
Base Score:
0.15