Vulnerability DatabaseCVE-2020-1740
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2020-1740
March 16, 2020
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
Affected Packages
ansible (PYTHON):
Affected version(s) >=2.8.0a1 <2.8.11
Fix Suggestion:
Update to version 2.8.11
ansible (PYTHON):
Affected version(s) >=1.0 <2.7.17
Fix Suggestion:
Update to version 2.7.17
ansible (PYTHON):
Affected version(s) >=2.9.0b1 <2.9.7
Fix Suggestion:
Update to version 2.9.7
Related Resources (22)
https://github.com/ansible/ansible/commit/28f9fbdb5e281976e33f443193047068afb97a9b
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S
https://security.gentoo.org/glsa/202006-11
https://github.com/ansible/ansible
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
https://github.com/ansible/ansible/issues/67798
https://www.debian.org/security/2021/dsa-4950
https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-12.yaml
https://github.com/ansible/ansible/commit/685a4b6d3ff72186d2b4ffce73172a5446a71ccc
https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB
https://nvd.nist.gov/vuln/detail/CVE-2020-1740
https://github.com/ansible/ansible/commit/2a563514f070a0a8ba64aebf6bce21194be96c73
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740
https://github.com/advisories/GHSA-vcg8-98q8-g7mj
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
https://github.com/ansible/ansible/commit/ef32a5bf96a89107986375516285253c1380d7ef
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
Do you need more information?
Contact Us
CVSS v4
Base Score:
1
Attack Vector
LOCAL
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.9
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
CVSS v2
Base Score:
1.9
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
Weakness Type (CWE)
Exposure of Sensitive Information to an Unauthorized Actor
CWE-200
Insecure Temporary File
CWE-377
EPSS
Base Score:
0.03